My goal for personal Node projects is to keep the dependency graph thin enough that I could reasonably hand-audit every line of third-party code. I'm increasingly convinced everyone should do this. End the bloat.https://twitter.com/toshok/status/951150882778906625 …
-
-
It sounds like our 2018 resolution should be "use npm packages that have groups of people who review the code" then, not "only use as many dependencies as you can hand audit."

-
I would love for npm packages to be subject to literally any standard of responsible curation. Saying that I shouldn’t care because V8 also has contributors is not a useful argument.
-
I don’t have to worry about my doctor getting replaced by a malicious imposter who brute forced a weak password and surreptitiously updated
-
Do you check that the doctor you see at the clinic isn't an imposter?
-
I go to a reputable clinic that vets the people who work there, which is not something npm does with its contents
-
Does your clinic carefully vet the provenance of every equipment and drug delivery?
-
yes, there are chains of trust, regulatory authorities and spot checks for those things in health; what does OSS have that's equivalent?
-
There's stuff like https://www.emberjs.com/security/ . And before you ask, yes, we get security reports and handle them using industry best practices.
- 6 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.