top | item 45180761

(no title)

naugtur | 5 months ago

packages published to npm are immutable. if you pin a version, you get the same exact version as long as MSFT servers are not compromised.

Installing from git is not recommended and has more issues than you might think https://dev.to/naugtur/a-phish-on-a-fork-no-chips-52cc

You are supposed to update packages, even if you use lockfiles (very common) or tools that pin your direct dependencies (renovate etc. not so common) And when you do update, will you read the package and all of its updated dependencies?

It's a hard problem with a bunch of tradeoffs.

Can be done, with enough attention and tools. Tools include LavaMoat :)

discuss

whilenot-dev|5 months ago

> packages published to npm are immutable.

Depends how you'd refer to them... tags ("@latest", "@next" etc.) are not immutable and it's best to rely on the checksums in the lock file.

clbrmbr|5 months ago

Re: updates: I was just thinking of waiting a few weeks on the updates to allow compromised packages to be discovered.

naugtur|5 months ago

socket.dev will find most malware within hours of it being published.

with LavaMoat most malware won't work even if you don't detect it.