top | item 39549285

(no title)

> or it is "I can trust this code".

what might be better would be some kind of trust layer built into package managers so they (optionally) only allow verified repos to be installed

discuss

m_rpn|2 years ago

There are countless of solutions that try to do this, both official and non official, both at package and repository level, npm from NodeJS comes with a security audit tool for example, and most code hosting solutions nowadays have at least a SAST tool built in, but expecting more from free services it's a bit of pipe dream.

Obviously it's hard to make a one-size-fits-all solutions, bottom line is that if you use third party code for anything serious you have to do your due diligence from a security pov, a vulnerability assessment at the bare minimum.

Lots of big companies are in fact maintaining their own versions of whole package ecosystems just to manually address any security concern, which is a crazy effort.

bunderbunder|2 years ago

Doing that well would cost money, and people are used to getting their package managers for free.