this post was submitted on 05 Nov 2024
248 points (99.2% liked)

Technology

59282 readers
3932 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 14 points 1 week ago (8 children)

I don't know much about NPM (having avoided JS as much as possible for my entire life), but golang seems to have a good solution: 'vendoring'. One can choose to lock all external dependencies to local snapshots brought into a project, with no automatic updating, but with the option to manually update them when desired.

[–] [email protected] 21 points 1 week ago (4 children)

NPM has that as well. In fact most languages and build tools support that. It's actually rare to not have support for that these days.

[–] [email protected] -2 points 1 week ago (2 children)

Ah, good. I wonder why it isn't used more often -- this wouldn't be such a huge problem then I would hope. (Let me guess -- 'convenience', the archenemy of security.)

[–] [email protected] 10 points 1 week ago

Because it doesn’t really solve much. After every update of external libraries, do you go through all the diffs to see if there is malicious code? Of course you don’t. And even if you would, it’s not even always possible to spot it. So all locking packages does is postpone the problem to when you eventually update. As an added bonus, you’re now vulnerable to all the legitimate issues that get fixed in those updates you’re not installing regularly.

load more comments (1 replies)
load more comments (2 replies)
load more comments (5 replies)