| ▲ | appplication 5 hours ago |
| First off, love svelte, the team is really doing a good job focusing on developer ergonomics. That said, I’m not surprised to see a list of CVEs impacting devalue. After running into some (seemingly arbitrary) limitations, I skimmed the code and it definitely felt like there was some sketchiness to it, given how it handles user inputs. If I were nefarious or a security researcher it would definitely be a focal point for me. |
|
| ▲ | no_wizard 5 hours ago | parent [-] |
| I want to ask simply for curiosity. Knowing you felt this way about that code, and I'm assuming knew that it had some level of relative importance to Svelte as a whole, how did that inform your decision making, if at all? |
| |
| ▲ | appplication 4 hours ago | parent | next [-] | | My decision making to use svelte? TBH I looked at source only well after I was far enough along development to be committed to it as a framework. That said, I don’t have any regrets, it’s a pleasure to use svelte and I trust the team’s direction. This particular app is already locked down to internal/trusted users. For something more public or security critical it may warrant a deeper dive and more consideration. | |
| ▲ | hsbauauvhabzb 3 hours ago | parent | prev [-] | | It’s probably comparable to other js frameworks, and auditing every package before you use them will leave you in analysis paralysis. I have a low opinion of software in general, but svelte isn’t a particular standout in that aspect. | | |
| ▲ | dwattttt 3 hours ago | parent [-] | | The phrase is typically analysis paralysis, but the image of a team of analysts frozen in fear is quite evocative. | | |
| ▲ | hsbauauvhabzb 3 hours ago | parent [-] | | Autocorrected on my iPhone, but sometimes the best thing analysts could do is nothing ;) |
|
|
|
