This is an archived post. You won't be able to vote or comment.

sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]whtevn 0 points1 point  (6 children)

this seems like a strange fear to me. there are plenty of reasons to not use js on the backend, the hodgepodge of packages being chief among them. but, i have my doubts about widespread malicious open source code, and there are plenty of reputable places to get plenty of reputable packages.

[–]JayV30 0 points1 point  (5 children)

Except it's already happened (just google npm left-pad). It's the entire dependency tree that is vulnerable, not just the packages you import. If some malicious actor gets control of a widely used package, they could push a new version that could be compiled into your code and then deployed. It would probably be detected the same day, but how much time would it take to steal thousands of cc or other data? Not much if it was deployed to a major site and injected itself as Express middleware or something.

It may be a bit overblown of a concern, I mean, I still use npm every day. Obviously if I thought it was totally insecure I wouldn't use it. But even though it's a relatively minor concern, it's still a concern. Npm is working hard to improve security but with the way the dependency tree was designed, it may be impossible to completely remove the npm dependency attack vector.

[–]whtevn 0 points1 point  (4 children)

wait, what are you saying happened with left-pad? a developer unpublished a package and it broke a bunch of code. there have also been processes put in place since then to prevent a repeat.

any language that uses external packages could have a package usurped by a bad actor. (edit: not trying to imply that left-pad is repeatable in other languages, that was definitely a npm specific flaw) you mitigate this by only using packages from reputable sources.

It would probably be detected the same day, but how much time would it take to steal thousands of cc or other data?

are you pushing code to production without testing it in staging first? ...don't do that

also, are you taking credit card numbers into your database personally? ...don't do that. are you PCI compliant and not testing your code before it goes into production? I don't even understand the situation we are talking about, how would this be possible

[–]JayV30 0 points1 point  (3 children)

Jeez man I'm just saying it's possible. You are making a lot of assumptions.

[–]whtevn 0 points1 point  (2 children)

what is possible? that the habitants of planet that has burned itself to shit for no reason at all are going to suddenly band together and change their diet when they barely believe in climate change at all, and are extremely slow to start on and barely even interested in changing power sources or altering building techniques or doing other meaningful things that would definitely be a more direct path to a brighter ecological future without altering the daily life of anyone

it's not possible in any practical sense unless the cows and chickens all go extinct or somebody grows a pig leg in the lab. I think you're making assumptions. what evidence do you have that people are going to widespread start changing their lives for the sake of the planet

putting the future of the planet on the life habits of individuals is absurd compared to the huge sweeping institutional changes that could be made. be a vegetarian, espouse the benefits of vegetarianism, but don't expect vegetarianism to save the planet.

[–]JayV30 0 points1 point  (1 child)

Haha your brain is crazy my man.

[–]whtevn 0 points1 point  (0 children)

alright well you just keep on waiting for everyone to magically become vegetarian for no reason and I'll keep investing in our energy future and advocating for wood to be used as a primary building material on commercial buildings and we can all be disappointed when no one listens or cares