top | item 16869666

(no title)

Is this realistic though? Every time you update a dependency you would have to read its source (and its source dependencies, and their source dependencies...)

To do that well, it would be someone's fulltime job to read and do security audits on all those dependencies.

discuss

komali2|7 years ago

Last time I went to one of the Bay Area node meetups, that given meetup was being sponsored by just such a company. Can't remember the name, unfortunately.

The idea was though that you'd feed them your package.json and they'd let you know of any vulnerabilities, iirc. Or maybe they had a private repo of packages they'd checked? Can't remember.

tomsmeding|7 years ago

Possibly https://snyk.io/ ?

illustrioussuit|7 years ago

Theoretically, once something is updated all you would have to do is check the diff. Still tedious though.

Y_Y|7 years ago

I look forward to all the clever exploits that result from benign-looking code being added to benign-looking code.