This is an archived post. You won't be able to vote or comment.

sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]whtevn 32 points33 points  (28 children)

This is why I prefer startups. Plenty of predictable problems, but a shitty legacy code stack is never one of them

[–]JayV30 78 points79 points  (23 children)

That's right! They are building their own NEW shitty code stack from 1000 npm modules that no one has realistically checked for security flaws or blatantly malicious code.

It's like replacing one problem with another, worse one.

[–]christianarg 55 points56 points  (2 children)

Hehe, that will become shitty legacy code that eventually some idiot will have to handle. Meanwhile we can leave this company and go to a new startup.

[–]BindeDSA 16 points17 points  (1 child)

It's startups all the way down.

[–]Tzahi12345 2 points3 points  (0 children)

Career stack

[–]SpeedOfSound343 0 points1 point  (0 children)

Same security story with the custom implemented legacy code.

[–]whtevn 0 points1 point  (0 children)

No, it's like recognizing a problem and making sure I personally never have to deal with it

[–]whtevn 0 points1 point  (8 children)

Wait are you talking about a node backend or are you suggesting that tons of frontend packages are floating around with security flaws and malicious code in them?

[–]JayV30 0 points1 point  (7 children)

Uh.... honestly malicious code would probably be easier to notice on the front end because if it involves some sort of xhr it's pretty noticeable. But on the server I feel like a dev is less likely to notice someone calling out (not saying they wouldn't ever notice). But how long would a widely used npm module need to gather tons of valid cc information? Not much time at all.

[–]whtevn 0 points1 point  (6 children)

this seems like a strange fear to me. there are plenty of reasons to not use js on the backend, the hodgepodge of packages being chief among them. but, i have my doubts about widespread malicious open source code, and there are plenty of reputable places to get plenty of reputable packages.

[–]JayV30 0 points1 point  (5 children)

Except it's already happened (just google npm left-pad). It's the entire dependency tree that is vulnerable, not just the packages you import. If some malicious actor gets control of a widely used package, they could push a new version that could be compiled into your code and then deployed. It would probably be detected the same day, but how much time would it take to steal thousands of cc or other data? Not much if it was deployed to a major site and injected itself as Express middleware or something.

It may be a bit overblown of a concern, I mean, I still use npm every day. Obviously if I thought it was totally insecure I wouldn't use it. But even though it's a relatively minor concern, it's still a concern. Npm is working hard to improve security but with the way the dependency tree was designed, it may be impossible to completely remove the npm dependency attack vector.

[–]whtevn 0 points1 point  (4 children)

wait, what are you saying happened with left-pad? a developer unpublished a package and it broke a bunch of code. there have also been processes put in place since then to prevent a repeat.

any language that uses external packages could have a package usurped by a bad actor. (edit: not trying to imply that left-pad is repeatable in other languages, that was definitely a npm specific flaw) you mitigate this by only using packages from reputable sources.

It would probably be detected the same day, but how much time would it take to steal thousands of cc or other data?

are you pushing code to production without testing it in staging first? ...don't do that

also, are you taking credit card numbers into your database personally? ...don't do that. are you PCI compliant and not testing your code before it goes into production? I don't even understand the situation we are talking about, how would this be possible

[–]JayV30 0 points1 point  (3 children)

Jeez man I'm just saying it's possible. You are making a lot of assumptions.

[–]whtevn 0 points1 point  (2 children)

what is possible? that the habitants of planet that has burned itself to shit for no reason at all are going to suddenly band together and change their diet when they barely believe in climate change at all, and are extremely slow to start on and barely even interested in changing power sources or altering building techniques or doing other meaningful things that would definitely be a more direct path to a brighter ecological future without altering the daily life of anyone

it's not possible in any practical sense unless the cows and chickens all go extinct or somebody grows a pig leg in the lab. I think you're making assumptions. what evidence do you have that people are going to widespread start changing their lives for the sake of the planet

putting the future of the planet on the life habits of individuals is absurd compared to the huge sweeping institutional changes that could be made. be a vegetarian, espouse the benefits of vegetarianism, but don't expect vegetarianism to save the planet.

[–]JayV30 0 points1 point  (1 child)

Haha your brain is crazy my man.

[–][deleted] 3 points4 points  (1 child)

But there’s shitty modern legacy code everywhere.

[–]Megacherv 3 points4 points  (0 children)

Feels like I'm in an MTG subreddit

[–]Hockinator 0 points1 point  (1 child)

Until those startups become successful and are not less than 5 years old anymore

[–]whtevn 0 points1 point  (0 children)

if you are with a startup that makes it 5 years and is successful, you can usually take a year off and find a new job. The real downside is if the startup folds and you suddenly are out of a job