| ▲ | lrvick 3 days ago | ||||||||||||||||||||||||||||||||||||||||
And then the vulnerable code will just move to shell execs in the main library that fire the next time you include the library in your project. If you do not have time to review a library, then do not use it. | |||||||||||||||||||||||||||||||||||||||||
| ▲ | efortis 2 days ago | parent | next [-] | ||||||||||||||||||||||||||||||||||||||||
I partially agree, but that does mitigate it. The report says the attacker injected a `postinstall` script, which is common. On the other hand, yes, an attack at code level, or a legit bug wouldn't be prevented. | |||||||||||||||||||||||||||||||||||||||||
| ▲ | singulasar 3 days ago | parent | prev [-] | ||||||||||||||||||||||||||||||||||||||||
I'm so sick of people saying this. If you use js for any non-tiny project, you'll have a bunch of packages. Due to how modules work in js, you'll have many, many sub dependencies. Nobody has time to review every package they'll use, especially when not all sub dependencies have fully pinned versions. If you have time to review every package, every time it updates, you might as well just write it yourself. Yes, this is a problem, no reviewing every dependency is not the damn solution | |||||||||||||||||||||||||||||||||||||||||
| |||||||||||||||||||||||||||||||||||||||||