248
this post was submitted on 05 Nov 2024
248 points (99.2% liked)
Technology
59287 readers
4106 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related content.
- Be excellent to each another!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, to ask if your bot can be added please contact us.
- Check for duplicates before posting, duplicates may be removed
Approved Bots
founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
I don't know much about NPM (having avoided JS as much as possible for my entire life), but golang seems to have a good solution: 'vendoring'. One can choose to lock all external dependencies to local snapshots brought into a project, with no automatic updating, but with the option to manually update them when desired.
NPM has that as well. In fact most languages and build tools support that. It's actually rare to not have support for that these days.
Ah, good. I wonder why it isn't used more often -- this wouldn't be such a huge problem then I would hope. (Let me guess -- 'convenience', the archenemy of security.)
Because it doesn’t really solve much. After every update of external libraries, do you go through all the diffs to see if there is malicious code? Of course you don’t. And even if you would, it’s not even always possible to spot it. So all locking packages does is postpone the problem to when you eventually update. As an added bonus, you’re now vulnerable to all the legitimate issues that get fixed in those updates you’re not installing regularly.