Comment by jacquesm

4 days ago

Sorry, but that had me laughing out loud.

No, they haven't.

I should know, I check those companies for a living. This is one of the most often flagged issues: unaudited Node.js dependencies. "Oh but we don't have the manpower to do that, think about how much code that is".

7 comments

jacquesm

DamonHD 4 days ago

When I last looked (as a consulting dev in a bank or three, horrified) absolutely they had not!

cluckindan 4 days ago
If this was in the US, all financial institutions need to audit their code to comply with NIST SP 800-53.
If they haven’t, it would be ethically dubious for you to not report it.
- jacquesm 4 days ago
  
  In theory there is no difference between theory and practice, but in practice there is.
  > If they haven’t, it would be ethically dubious for you to not report it.
  I can report all I want, someone needs to act on that report for it to have an effect.
  There are people out there who think that some static analysis tool plugged into their CI/CD pipeline is the equivalent of a code audit.
  
  2 replies →
- drw85 4 days ago
  
  In my experience, most devs and companies don't consider the dependencies they load 'their' code. They only look at the code they write, not everything they deploy.
- DamonHD 4 days ago
  
  These were all multinationals, with very significant US presence.