| ▲ | zygentoma 3 hours ago |
| Somehow it is missing the "read the code of your dependency" step … :) Even occasionally having a glance (e.g. when reading the docs) might be super helpful in discovering strange things going on. |
|
| ▲ | invaliduser 3 hours ago | parent [-] |
| Or maybe just read the commits between now and a reasonable date far enough in the past so that if there is some hostile code injected before that point in time, then at least you will share the walk of shame with a lot of people and you can play the sound of "who could have guessed?" |
| |
| ▲ | dns_snek 3 hours ago | parent [-] | | There's no point in reading the code in the Git repository or its commit history because that's not the code that you're actually executing. You have to read what's in your node_modules, everything else is irrelevant. | | |
| ▲ | kpcyrd 3 hours ago | parent [-] | | This is often overlooked, to the point I created a website focusing on "the code we actually put into our computers": https://whatsrc.org/ It doesn't index all of npm, only if the package was reference by a Linux distribution somehow (e.g. package-lock.json in a tar file used in an Arch Linux PKGBUILD). |
|
|
