| ▲ | rvz 4 hours ago |
| Once again, it is in the NPM ecosystem. OneCLI [0] does not save you either. Happens less with languages that have better standard libraries such as Go. If you see any package that has hundreds of libraries, that increases the risk of a supply chain attack. A password manager does not need a CLI tool. [0] https://news.ycombinator.com/item?id=47585838 |
|
| ▲ | internetter 4 hours ago | parent | next [-] |
| > A password manager does not need a CLI tool. A password manager absolutely does need a CLI tool?? |
|
| ▲ | hgoel 4 hours ago | parent | prev | next [-] |
| I guess anyone/anything using a non-graphical interface should just not use a password manager for some reason? Not to mention that a graphical application is just as vulnerable to supply chain attacks. |
|
| ▲ | fluidcruft 2 hours ago | parent | prev | next [-] |
| I seems like we need better standard libraries, but standard libraries turn into tarpits. I sort of like the way python's stdlib works. |
|
| ▲ | hrimfaxi 4 hours ago | parent | prev | next [-] |
| > A password manager does not need a CLI tool. Why not? Even macos keychain supports cli. |
| |
| ▲ | gear54rus 4 hours ago | parent [-] | | The above comment is just a bunch of generalizations not meant to address seriously that's why. | | |
| ▲ | rvz 4 hours ago | parent [-] | | So the comparison here is that you would rather trust a password manager with a CLI that imports hundreds of third-party dependencies over a first party password manager with a CLI that comes with the OS? I don't think macOS Keychain uses NPM and it isn't in TypeScript or Javascript and, yes it does not need a CLI either. The NPM and Java/Typescript ecosystem is part of the problem that encourages developers to import hundreds of third-party libraries, due to its weak standard library which it takes at least ONE transitive dependency to be compromised and it is game over. | | |
| ▲ | hgoel 4 hours ago | parent | next [-] | | You initially complained about CLIs, not the dependency mess of the JS ecosystem. You still have not said why this is an issue of having a CLI. | | |
| ▲ | rvz 3 hours ago | parent [-] | | > You initially complained about CLIs, not the dependency mess of the JS ecosystem. I complained about both. What does this say from the start? >> Once again, it is in the NPM ecosystem. > You still have not said why this is an issue of having a CLI. Why do you need one? Automation reasons? OpenClaw? This is an attractive way for an attacker to get ALL your passwords in your vault. The breach itself if run in GitHub Actions would just make it a coveted target to compromise it which makes having one worse not better and for easier exfiltration. So it makes even more sense for a password manager to not need a CLI at all. This is even before me mentioning the NPM and the Javascript ecosystem. | | |
| ▲ | hgoel 3 hours ago | parent [-] | | >Why do you need one? Automation reasons? OpenClaw? This is an attractive way for an attacker to get ALL your passwords in your vault. I need one because I am not always using a graphical interface. What exactly in a GUI do you think makes it harder/less attractive for an attacker? If the GUI code is compromised in the same way as the CLI, it'll have the same level of access to your vault as soon as you enter your master password, exactly the same as in the CLI. |
|
| |
| ▲ | gear54rus 3 hours ago | parent | prev [-] | | It does not much matter if it imports 300 or 30 of them, those vulns will land somewhere in those 30 with equal frequency statistically. If you are advocating developing without dependencies at all, then please start (with any language) and show us all how much you actually ship. JS is a target of these dumb accusations because it's literally the best cross-platform way to ship apps. Stop inventing issues where there are none. |
|
|
|
|
| ▲ | trinsic2 4 hours ago | parent | prev | next [-] |
| Yeah Im going to have to agree with this |
|
| ▲ | imiric 4 hours ago | parent | prev [-] |
| > A password manager does not need a CLI tool. That's a wild statement. The CLI is just another UI. The problem in this case is JS and the NPM ecosystem. Go would be an improvement, but complexity is the enemy of security. Something like (pass)age is my preference for storing sensitive data. |
