Reply to post:

Security warning deluge from 'npm audit' is driving developers to distraction

Filippo Silver badge

In one of the last projects I worked on, we used a library to generate random numbers, and the audit tool complained that the random numbers generated by the library were not good enough to be used for cryptography. Fine - but we were using them for simulations, not for cryptography!

We used another library that had many features, including some that went online and depended on a vulnerable SSL implementation. Thanks - but we were not using any online features at all!

Then there was another that had a SQL injection problem. Okay - but in our project we weren't even using a SQL database!

Then we had a whole gaggle of vulnerabilities in a test project. I get it - but it's a test project; it's not going to be Internet-facing at any time!

I understand that any of those issues might suddenly become real issues... but only if some specific sets of other much bigger mistakes happen. It's not worth ripping and replacing an entire library just because some insane person in the future might accidentally decide to remove the localhost-only restriction on the test suite and then put it online. Especially considering that the new library you just spent twenty hours replacing will most likely get flagged for something else in a couple months' time anyway, and it still won't matter because we are still not using it in a way where the vuln is relevant.

And yet, with all of that said, there were a few cases where the tool pointed out stuff that actually needed addressing.

This is definitely a problem, although I'm not sure how it could be solved cleanly and efficiently.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2022