Comment on Why is the Node ecosystem so demanding?

LaSaucisseMasquee@jlai.lu ⁨10⁩ ⁨months⁩ ago

• heeplr@feddit.de ⁨10⁩ ⁨months⁩ ago

  You’d rather not be aware that a vulnerability has been found since your last development ?

  I’d rather develop with dependencies that don’t have so many vulnerabilities.

  source

  • LaSaucisseMasquee@jlai.lu ⁨10⁩ ⁨months⁩ ago

    Yeah we all wanna do that, but nobody writes perfect code.

    source

    • heeplr@feddit.de ⁨10⁩ ⁨months⁩ ago

      That’s why people came up with defensive programming and functional correctnes.

      Just seems to be difficult for the webdev industry. Seems easier to push fixes from time to time.

      source
  • odbol@lemmy.world ⁨10⁩ ⁨months⁩ ago

    Then you’re in the wrong industry…

    source

    • heeplr@feddit.de ⁨10⁩ ⁨months⁩ ago

      If you mean web development, you’re right.

      If you mean computer science, then I’d say that webdevs have little in common with the industry that came up with stuff like ADA or functional correctness.

      source
• planish@sh.itjust.works ⁨10⁩ ⁨months⁩ ago

  I’m struggling to understand how there can be so many security flaws, even in things that don’t seem to matter for security. I think the bar for a security problem might be too low; a lot of these look like footguns that could give my package a security hole, rather than genuine security flaws in the packages they are reported on.

  Here’s a progress bar package with a “high” security vulnerability because it contains an internal utility that merges objects and doesn’t stop you writing to the prototype. Did the progress bar package ever promise to provide an object merge function that was safe to use on untrusted user input?

  Here’s a notification UI element that bills using HTML in your notification messages as a feature. It has a “medium” level “XSS” security vulnerability where the message parameter is not sanitized to remove HTML. A CVE was issued for this.

  Here’s an arbitrary code execution vulnerability in sqlite3! High severity! The bug is that, if you tell sqlite3 to substitute an object into an SQL statement, it will run the ToString() method on the object. If an evil hacker has broken into your lead developer’s house and written a malicious ToString() method into one of the classes of object you use as a database query parameter, then that code would run! The fix here was, instead of letting the normal Javascript stringification rules apply, to hardcode all objects to be inserted into the database as “[object Object]”, because surely that is what the programmer meant to store.

  source

  • nick@campfyre.nickwebster.dev ⁨10⁩ ⁨months⁩ ago

    You don’t need to do anything when you get a security advisory if you’re not impacted or the risk is acceptable. They’re just there to advise you.

    source

    • atheken@programming.dev ⁨10⁩ ⁨months⁩ ago

      The problem is that when you are alerted for trivial/non-actionable stuff it contributes to “alert-fatigue” and you just start ignoring all of the alerts.

      As far as I’m aware, there’s also no way to triage an alert from an install other than to upgrade the offending package, which means you can’t really discriminate on the basis of “acceptable risk”

      source
  • faintbeep@lemm.ee ⁨10⁩ ⁨months⁩ ago

    There’s a whole industry of bug bounty hunters making money off this trivial stuff. At work I had to fix a “bug” which could only be exploited if an attacker took control of facebook first, and even then it just meant a user could be redirected to a different website. And the company paid the clown that found the “vulnerability”.

    source
• AA5B@lemmy.world ⁨10⁩ ⁨months⁩ ago

  If you set the versions of your dependencies in the package.json file

  Or if you leave that alone, and update your package-lick.json so can install exact dependencies with npm ci

  source