Remix.run Logo
Ask HN: Evidence for JavaScript ecosystem being more vulnerable than Rust's?
1 points by pascahousut 6 hours ago

Suppose you have to deal with vulnerability findings reported by some automated tools that seem to scan JavaScript projects's dependency lists and compare them against some CVE database. Suppose it seems as if there's a lot more of this work in JavaScript projects than in Rust projects. There might be several reasons for this feeling:

- Maybe you're just unlucky and your projects happen to have bad dependencies, and the constant churn is not representative of the wider JavaScript ecosystem.

- Maybe the tooling is better equipped against JavaScript than Rust projects. Maybe the scanner doesn't know how to analyze Rust projects as effectively as it does with JavaScript ones.

- Maybe current Rust ecosystem is actually less vulnerable than current JavaScript ecosystem.

The last reason itself may have multiple reasons behind it. Maybe there's just less Rust than JavaScript in the world, maybe one is newer than the other, maybe one has some inherently superior features over the other, who knows!

Amyway, this is all speculative, and I would like to learn of some evidence that points one way or another. So, do you know of any recent paper that would analyze the vulnerability count in currently popular dependencies in JavaScript versus Rust ecosystems in some given domain such as web apps?