back to article Languishing lodash library loophole finally fitted for a fix: It's only taken since October to address security bug

A lingering vulnerability in lodash, a popular JavaScript helper library distributed through package manager npm, has prompted developers to kvetch about the fragile state of security. The occasion for the renewal of what's been a longstanding concern was the publication on Wednesday of an npm security advisory, which should …

  1. cbars Silver badge

    Re-inventing the tools to make a wheel

    The website is the car in this analogy, we know its useful and its serves many purposes. To build the car we need some way to send and receive data, style it, and get user input... etc

    This stuff all exists, and has done for a long time. You can hand crank HTML etc and what you get is rock solid. All these libraries do is change the way you build your wheel, your axle. Yes it seems faster but you trade stability/maintanability/security/performance and simplicity for development speed alone...

    I honestly am not advocating hand cranking code, but the trade offs need to be made only in appropriate places, not "use this 1 framework to solve all your problems". You're building a car, so it makes sense to reuse the frame of another manufacturer, but other than that its best to just do it yourself.

    Its not innovation to reinvent the tools to build the wheel, it's procrastination; and besides, using different tools every time you build a car is upsettingly inefficient

  2. Concrete Gannet

    Supporting critical open source

    Critical open source with too few to maintain it is a serious problem, but people are working on it.

    The Ford and Sloan Foundations are supporting research to understand the issues:

    In particular, have a look at Nadia Eghbal's report:

    OpenSSL is a prime example. Google, IBM, Microsoft, Intel and Facebook are now contributing to its maintenance: .

  3. This post has been deleted by its author

  4. trevorde

    Bus Factor = 1

  5. Kubla Cant Silver badge

    Most people probably use Lodash to try to reduce the uncertainties of writing JavaScript*.

    As pointed out here you can do without Lodash. But in many cases the native ES5/ES6 code is more verbose or less transparent than the Lodash alternative. Your therefore have the choice of inlining the native code everywhere, which lays up technical debt for the inevitable day when a defect is discovered in it, or writing your own library, which is really just dogfooding Lodash.

    * Probably because I'm an old fart who learned coding on less high-spirited languages, I find JavaScript a constant source of anxiety, even though I spend a lot of time on it these days. It's bizarre they way it puts Tony Hoare's billion-dollar mistake in the shade by having three kinds of nullity, even though it only has about half a dozen datatypes that are constantly turning into each other.

  6. Ben Liddicott

    These are not accidents.

    That is all.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020