Auditing external libraries/packages
๐ ๏ธtools๐ฃ๏ธdiscussion
Earlier I had some discussion with people about the recent npm malware.
The topic there came up to check the package's code yourself manually before using it. I feel like that's unsustainable and not something a web developer should need to do (maybe devops or security guys should?).
Every package these days seems to have 20 sub dependencies and then when they change the version it will need reviewing again (tho smaller i think because you can just check differences in commits).
Maybe socket.dev or aikido tools etc can help but manually reviews seems unfeasible. Is it actually unfeasible or am I just being lazy?
The topic there came up to check the package's code yourself manually before using it. I feel like that's unsustainable and not something a web developer should need to do (maybe devops or security guys should?).
Every package these days seems to have 20 sub dependencies and then when they change the version it will need reviewing again (tho smaller i think because you can just check differences in commits).
Maybe socket.dev or aikido tools etc can help but manually reviews seems unfeasible. Is it actually unfeasible or am I just being lazy?
A friendly place for developers to meet other devs, ask questions, get help, and just have a good time ๐.
36,263Members
Resources
Similar Threads
Was this page helpful?
