Reply to post: old skool

Worried about occasional npm malware scares? It's more common than you may think

captain veg Silver badge

old skool

Most of the time that I've been creating software in return for money we either wrote it ourselves or paid for supported libraries that did tricky stuff.

Even for the tricky stuff, we first of all asked whether we could make it ourselves. Almost always the answer was yes, but we didn't have time.

Bought-in software is subject to contract. It's far from ideal, but at least it means that your company's bankruptcy lawyers might be able to salvage something. Free stuff on Github (or whatever), not so much.

I'm certainly not saying that everything on Github (or whatever) is worthless. I'm merely pointing out the obvious, that it comes with no guarantees.

Speaking for myself, if there were a particular problem domain for which I could not myself quickly code a solution I might consider checking out what's available in the public domain. But before I deployed it as part of any solution I would make damn sure that I had read all the source code and understood it. How else to prevent the ingress of, at minimum, buggy code, at maximum, malware?


POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2022