Reply to post: Elephant in the room ?

Security warning deluge from 'npm audit' is driving developers to distraction

DevOpsTimothyC Bronze badge

Elephant in the room ?

Then there was another that had a SQL injection problem. Okay - but in our project we weren't even using a SQL database!

Then why are you including a library with SQL connectivity ? Even if it isn't the library that you're using directly but one of the libraries that are being pulled in as a dependency, or a dependency of a dependency.

This really comes back to some of the issues that https://www.theregister.com/2016/03/23/npm_left_pad_chaos/ highlighted over 5 years ago.

To some extent, the situation is unavoidable given the attack surface in the Node.js ecosystem, where the installation of an average npm package means trusting around 80 other packages due to transitive dependencies

producing numbers often larger than the number of modules in the tree

Both of those quote should (and in other communities would) ring alarm bells. The situation is not unavoidable it's just something that node and npm have decided to live with because it's easier to complain than address the bigger issues

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2022