Nobody - and I mean absolutely nobody - using Node.js has fully audited all of the dependencies they use and if we find somewhere in a cave a person that did that they are definitely not going to do it all over again when something updates.

▲

cluckindan 6 hours ago | parent [-]

I can guarantee that any financial institution which has standard auditing requirements and is using Node.js has fully audited all of the dependencies they use.

Outside that, the issue is not unique to Node.js.

▲

jacquesm 6 hours ago | parent [-]

Sorry, but that had me laughing out loud.

No, they haven't.

I should know, I check those companies for a living. This is one of the most often flagged issues: unaudited Node.js dependencies. "Oh but we don't have the manpower to do that, think about how much code that is".

▲

DamonHD 6 hours ago | parent [-]

When I last looked (as a consulting dev in a bank or three, horrified) absolutely they had not!

▲

cluckindan 5 hours ago | parent [-]

If this was in the US, all financial institutions need to audit their code to comply with NIST SP 800-53.

If they haven’t, it would be ethically dubious for you to not report it.

	▲	jacquesm 10 minutes ago \| parent \| next [-]
		In theory there is no difference between theory and practice, but in practice there is. > If they haven’t, it would be ethically dubious for you to not report it. I can report all I want, someone needs to act on that report for it to have an effect. There are people out there who think that some static analysis tool plugged into their CI/CD pipeline is the equivalent of a code audit.
	▲	drw85 2 hours ago \| parent \| prev \| next [-]
		In my experience, most devs and companies don't consider the dependencies they load 'their' code. They only look at the code they write, not everything they deploy.
	▲	DamonHD an hour ago \| parent \| prev [-]
		These were all multinationals, with very significant US presence.