Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Security proposition
See original GitHub issueProblem:
node-postgres depends (directly and recursively) on 16 other packages. May any of these become controlled by an attacker, the baddies can easily control your application’s backend via node-postgres.
This is well-known and serious attack:
https://schneid.io/blog/event-stream-vulnerability-explained/
It scares me anytime I hit npm install.
Solution:
Most of the dependencies have quite short codes, so it’s trivial to ‘embed’ them to the project directly. I consider success even partial dependency elimination, as it reduces the attack surface.
Realization:
If agreed, I’m happy to do the change and submit PR.
Issue Analytics
- State:
- Created 5 years ago
- Comments:11 (2 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Definitely worrying to see that. Name usurpation/confusion is obviously an easy vector attack.
Agree with @charmander (except using
yarn.lock); vendoring non-trivial dependencies raises issues due to using stale code which may have vulnerabilities in - it massively increases the work required of the maintainer to keep things up to date and makes it harder for users to patch their own systems using tools like Snyk to upgrade/patch certain dependencies.When you run code in the node ecosystem, using a lockfile is critical, and when you upgrade modules you should review their changelogs and ensure they’re safe.