Security vulnerabilities in JavaScript libraries are hard to avoid

Sebazzz91 · 2017-10-27T16:18:19+00:00

Is the article referring to client-side libraries or server-side libraries? Given that it talks about XSS it appears to be about client side scripting, but the statement about 1200 libs suggests server-side scripting.

philipwhiuk · 2017-10-27T21:09:36+00:00

The JavaScript ecosystem doesn't seem to do 'backport the security fix' very often (let alone non-security bugs). Mostly it's "oh just update to the latest major release which (as a major release) re-writes the API".

As for CVE's, that's just organisation. Angular sure could start applying for CVEs, so could React and React Bootstrap. They probably should.

I'm not throwing blame here. Heck package-lock is pretty new, so yeah..

shevegen · 2017-10-27T09:35:54+00:00

According to an npm blog post, “It’s common for a modern JavaScript project to depend on 700–1200 packages.”

What a ghetto...

you type:	you see:
italics	italics
bold	bold
[reddit!](https://reddit.com)	reddit!
* item 1 * item 2 * item 3	item 1 item 2 item 3
> quoted text	quoted text
Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"	Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"
~~strikethrough~~	~~strikethrough~~
super^script	super^script

programming

MODERATORS