• DangerousDetlef@lemmy.world
    link
    fedilink
    English
    arrow-up
    12
    ·
    1 year ago

    The really scary thing is probably the malicious npm dependencies. If I think about the projects at work with and all the different packages and the hundreds of dependencies no one knows. And it’s probably even worse in really big companies like Microsoft or Facebook, they probably got thousands across their products. I hope for us all that they scan them very regularly.

    • bassomitron@lemmy.world
      link
      fedilink
      English
      arrow-up
      5
      arrow-down
      2
      ·
      1 year ago

      This is why my work will only use enterprise supported distros like RHEL. We don’t have the manpower to stay on top of every single package update to ensure they’re absolutely safe.

      • einsteinx2
        link
        fedilink
        English
        arrow-up
        5
        ·
        1 year ago

        What does RHEL have to do about NPM package dependencies in software projects? A server or a developer’s desktop machine using RHEL would still be pulling the same packages from NPM as another other distro…unless I’m missing something?

          • einsteinx2
            link
            fedilink
            English
            arrow-up
            2
            ·
            1 year ago

            No worries! I thought maybe RHEL had like their own NPM repo or something (I think NixOS has python packages, so that kind of thing isn’t unheard of), but then that didn’t really make sense so I wanted to make sure I was understanding.