Reply to post: to store packages in git or not that is the question

Worried about occasional npm malware scares? It's more common than you may think

Rob Davis

to store packages in git or not that is the question

Good article for awareness, thank you.

It resurrects the dilemma I have about what to store in git and wonder what other readers think: to store whole dependency packages in git or not.

If one stores everything in their project in git, including the dependency packages complete source code, the whole project and exact code is stored, which can provide assurance that where it is deployed, it will always be the same. And when any changes from a package update will be seen as git changes. So this can make it quicker to see changes. However, pull requests could be large, making it take longer to find changes to the project's own code by a developer, if the changes required dependency updates to be included in the same commit. I suppose it depends on how git commits are managed.

On the other hand, if one only stores the dependency list files i.e. the .json etc files and not the dependency code itself, then code reviews can be quicker and docus on changes to the project's own code, more time to focus on them, picking up more faults that might have been missed otherwise. But, by just including the package list in git, then the code in the packages won't be seen in the review if changed, which is where security issues can creep in.

This is consideration for other development platforms such as php and php composer, too.

What do you folks think?

I guess there might need to be more stewardship at npm source. I think microsoft have some involvement (ownership?) so their experience of malware and counteracting tools could be useful here.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2022