[wesleytodd]

We run nsp on our production services in CI before merge. The number of false positives I have tracked down is infinitely higher than the number of vouln's found. I literally mean this, we have never seen one disclosure which resulted in a viable attack on our production services.

For example, recently a bunch of ReDOS voulns were reported in popular libraries. None of which were in code paths hit by our configurations.

So needless to say, I think this is a sensationalist headline.

[guypod]

I think it's an absolute statement about the lack of awareness to this risk.

Of course some of these site would not actually be vulnerable, but I would bet the vast majority of them don't even know they're using a library with a known vulnerability.

[wesleytodd]

Agreed, but the tools (nsp) are there to make it simple to know. Devs who are not going to update/patch are not the target here, so making big claims like this does not strongly add to the conversation IMO.

Also, this is nothing new on the web, the amount of wordpress sites with known voulns is probably MUCH higher.

[wesleytodd]

NOTE: I am NOT saying we have had no security voulns. Just that the snyk and nsp disclosures on packages do not mean that those applications are vulnerable.

[qaq]

"viable" is a function of how interesting your production services are to a capable adversary.