23

Found an article on medium, which does make one think about the security of fetching things from npm and somebody "checking" the source on github.

“I’m harvesting credit card numbers and passwords from your site. Here’s how.” @D__Gilbertson https://hackernoon.com/im-harvestin...

Comments
  • 0
    @1989 Exactly that, its always tempting to use a library off the shelf, especially in node that has basically require() everywhere and is known to have millions of dependencies, even in the libraries you pull - where you have hidden dependencies. That was also the issue why many libraries just broke when the drama happened with the kik package name holder:

    https://devrant.com/rants/1136107/...

    You personally cant do much, since theres no signatures to compare.

    Especially because minimized scripts often have a variety of signatures, due to different tools minimizing them [or even multiple times minimizing them].

    Npm would have to introduce signature checks and signing to make it actually remotely safe, but we all know, thats not going to happen, until shit hits the fan.
  • 0
    @duckifier have a link to the previous post? and its impossible not to repost something, especially because tags arent really used nor the link is not always included in the post.

    The general idea with reposts is anyway to mark it as repost if you want, it will then get hidden from people with repost filter, but not for the people that might not have seen it, like me.
  • 0
    @duckifier def. won't delete it, especially because I often come back to my devrant profile, if I lost some article that I shared on here.
Add Comment