this post was submitted on 18 Jul 2023
144 points (99.3% liked)

Technology

59585 readers
5454 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[–] DangerousDetlef 12 points 1 year ago (1 children)

The really scary thing is probably the malicious npm dependencies. If I think about the projects at work with and all the different packages and the hundreds of dependencies no one knows. And it's probably even worse in really big companies like Microsoft or Facebook, they probably got thousands across their products. I hope for us all that they scan them very regularly.

[–] bassomitron 3 points 1 year ago (1 children)

This is why my work will only use enterprise supported distros like RHEL. We don't have the manpower to stay on top of every single package update to ensure they're absolutely safe.

[–] [email protected] 4 points 1 year ago (1 children)

What does RHEL have to do about NPM package dependencies in software projects? A server or a developer’s desktop machine using RHEL would still be pulling the same packages from NPM as another other distro…unless I’m missing something?

[–] bassomitron 4 points 1 year ago (1 children)

You're right, I'm a dumb dumb and misread the whole thing as RPM, whoops!

[–] [email protected] 2 points 1 year ago

No worries! I thought maybe RHEL had like their own NPM repo or something (I think NixOS has python packages, so that kind of thing isn’t unheard of), but then that didn’t really make sense so I wanted to make sure I was understanding.