Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

That second issue is the kind that scares me. Be it Rust, Python, Node... public package managers have always seemed like a huge risk to me with how we just assume nothing nefarious will be installed b/c hey, npm repo said 11,000,000 downloads per week, so it can't possibly be dangerous?

I'm guilty of this: my latest Nuxt project has 47,000 dependencies. yarn audit helps, but can i even trust that since it is retroactive?



Does that count duplicates, i.e. if a thousand different packages depend on exactly the same version of some package X, you get a thousand copies and count it a thousand times?

Otherwise I can't fathom how it's possible for a project to have 47000 dependencies. I mean, my main Linux machine has all kinds of old garbage installed and still the package manager only lists 2000 packages.


Yes, it does include dupes, that's why I use yarn instead of npm. That being said, sometimes it is multiple versions of the same package, so yes-and-no.


It's not really conceptually different from relying on third party libraries in any context.

I haven't touched JavaScript since the late 90s, so I dunno what the hell's going on there, but in my C++ projects I typically have 10-20 dependencies (counting modularized Boost as one). They're either built by a custom script which includes the SHA256 of the tarballs it expects, or by a particular pinned commit of vcpkg which likewise uses SHA512 to verify its downloads.

I generally only update these when I need a new feature or bug fix, which means I'm unlikely to get bitten by any temporary security compromise.

If the "particular checkout of vcpkg" type of approach is impossible with other package managers, that's unfortunate.


> I haven't touched JavaScript since the late 90s, so I dunno what the hell's going on there,

Well you're in for a surprise: the entire web is built on JavaScript for one thing. And that is build on frameworks which are built on ... other frameworks, which are built on a ginormous repository typically accessed by npm/yarn.

npm modules aren't the same as boost. Boost is written and scrutinized by some of the best C++ minds on the planet.

npm modules are written by anyone. they are all open source, but so many are in use that i doubt they get the scrutiny they deserve. at one point there was a package just to left-align things and a bug in it broke thousands of services.

but that's the landscape the modern web is built on, for better or for worse.


I believe you're referring to "left-pad," but I think the author actually deleted the package and that's why the dependency chain broke.


Yes, that's it! Thank you for clarifying.


Fortunately this is the default in JavaScript world with both Yarn and NPM supporting lockfiles which have hashes and pinned versions. The problem is the sheer volume of dependencies and transient dependencies which makes it hard to reliably audit those, as updating one thing can cause a lot of work.


> I haven't touched JavaScript since the late 90s

Can I come live with you? It's sad that I'm only half joking.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: