| ▲ | zubilent 4 days ago | |
Is the npm package ecosystem fixable at this point? It seems to be flawed by design. Is there a way to not accept any package version less than X months old? It's not ideal because malicious changes may still have gone undetected in that time span. Time to deploy AI to automatically inspect packages for suspect changes. | ||
| ▲ | mattstir 4 days ago | parent [-] | |
It's a tricky thing because what if the update fixes a critical vulnerability? Then you'd be stuck on the exploitable version for X months longer | ||