My goal for personal Node projects is to keep the dependency graph thin enough that I could reasonably hand-audit every line of third-party code. I'm increasingly convinced everyone should do this. End the bloat.https://twitter.com/toshok/status/951150882778906625 …
-
-
I go to a reputable clinic that vets the people who work there, which is not something npm does with its contents
-
Does your clinic carefully vet the provenance of every equipment and drug delivery?
-
yes, there are chains of trust, regulatory authorities and spot checks for those things in health; what does OSS have that's equivalent?
-
There's stuff like https://www.emberjs.com/security/ . And before you ask, yes, we get security reports and handle them using industry best practices.
-
but as far as I know there isn't a lot of things like the Linux Foundation critical infra project work going through the chain of trust
-
I think issue is it falls on indiv devs and teams to do so much binary entity reputation management & tools like WhiteSource aren't common
-
so there isn't an equivalent of those industry-wide chains of trust that are there in your healthcare metaphor
-
whether it's Node hit a CoC bump and forked itself again or an npm package, it's a burden on devs to know how many turtles down to look
- 2 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.
