Sorry, but that had me laughing out loud.

No, they haven't.

I should know, I check those companies for a living. This is one of the most often flagged issues: unaudited Node.js dependencies. "Oh but we don't have the manpower to do that, think about how much code that is".

▲

DamonHD 6 hours ago | parent [-]

When I last looked (as a consulting dev in a bank or three, horrified) absolutely they had not!

▲

cluckindan 5 hours ago | parent [-]

If this was in the US, all financial institutions need to audit their code to comply with NIST SP 800-53.

If they haven’t, it would be ethically dubious for you to not report it.

	▲	jacquesm 34 minutes ago \| parent \| next [-]
		In theory there is no difference between theory and practice, but in practice there is. > If they haven’t, it would be ethically dubious for you to not report it. I can report all I want, someone needs to act on that report for it to have an effect. There are people out there who think that some static analysis tool plugged into their CI/CD pipeline is the equivalent of a code audit.
	▲	drw85 2 hours ago \| parent \| prev \| next [-]
		In my experience, most devs and companies don't consider the dependencies they load 'their' code. They only look at the code they write, not everything they deploy.
	▲	DamonHD 2 hours ago \| parent \| prev [-]
		These were all multinationals, with very significant US presence.