Comment by lesuorac

4 days ago

To me this is asking the question of "what's the safest way to drink from a polluted river".

The answer is really, don't.

NPM and the JS eco-system has really gone down a path of zero security and they're paying the price for it.

If you really need libraries from NPM and whatnot, vendorize them so you're relying on known-safe files and don't arbitrarily update them without re-verification.

2 comments

lesuorac

vedhant 4 days ago

This is true. Today its npm, tomorrow it could be some other language. Shouldnt we focus on solving it at the root?

samdoesnothing 4 days ago

Some of us need to drink from the river to eat :(