Reply to post: 99% false positives is worse than nothing

Security warning deluge from 'npm audit' is driving developers to distraction

oldtaku
Devil

99% false positives is worse than nothing

You need below 5% false positives at the very worst, 1% is better (0% is impossible). Remember when Windows implemented UAC and programs triggered it every 5 minutes (because they weren't UAC-aware at the time) so everyone just turned it off because it was worse than useless? This is like that. You're not even going to notice a legitimate security issue in all the spam.

Eventually, if npm is actually more interested in making it useful rather than revenue enhancement, I think this can be largely mitigated. It's just a retread of what's been done before with compiler errors/warnings and lint errors/warnings though most of the JS people may have no idea what that even means or that this is hardly a new problem. The compiler (checker) gets better at deciding what's a real error and what's just a warning, the package authors get better about adapting their code to the compiler (checker) - which usually always results in better code - and then you get the option to manually disable specific things for specific packages. Just getting rid of the cascading errors (where a single thing generates 20 errors) would be a big start.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021