Hacker News new | ask | show | jobs
by kkapelon 3010 days ago
Usually you don't use maven deps directly. You have a registry in your company that caches maven packages for you and runs vulnerability scans on the binary. So the binaries you end up using are "tested" internally.

Is that how people use NPM?

Also maven central does NOT support unpublishing of binaries. So if you have version 1.2 of something and you have scanned it once for vulnerabilities, it should always be the correct one. Nobody can publish again 1.2 in the central repo
1 comments
kabes 3010 days ago
In every somewhat serious company I've worked they used a local npm cache like jfrog (usually same one that's used for maven) that can get scanned for security. So yeah, that's how people use npm.

Unpublishing within those companies is usually not allowed, in the official npm registry you can only unpublish within the first 24 hours of publishing, after that you need to request it by email.

link
kkapelon 3010 days ago
>In every somewhat serious company I've worked they used a local npm

If that was the case for everybody, then left-pad would not have caused a problem for anybody. People would not notice anything wrong with their builds. The amount of github comments where people say that their production build just broke because of a missing package implies that people are NOT using NPM with a local registry

>in the official npm registry you can only unpublish within the first 24 hours of publishing

I don't believe this to be the case https://news.ycombinator.com/item?id=16087024

link
twelve40 3009 days ago
Just because it's a shitty common practice doesn't mean there isn't a proper way to do it (local repo). For example, there are tons of people who check in their secrets into public and private Github repos (including Uber eng), then they get jacked and complain. If they were smarter than that, "it would not have caused a problem for anybody". Doesn't really prove that what a lot of people do must be automatically good.
link
kkapelon 3008 days ago
True, but the fact that NPM seems to be the only repository where packages can be "re-published" further exacerbates the bad practices.

https://status.npmjs.org/incidents/41zfb8qpvrdj

The fact that 9 packages could be "published over" _after_ the left-pad fiasco, shows lack of attention.

Tools should try to foster good practices, instead of worsening bad ones.

link