[probablycorey]

Is this realistic though? Every time you update a dependency you would have to read its source (and its source dependencies, and their source dependencies...)

To do that well, it would be someone's fulltime job to read and do security audits on all those dependencies.

[komali2]

Last time I went to one of the Bay Area node meetups, that given meetup was being sponsored by just such a company. Can't remember the name, unfortunately.

The idea was though that you'd feed them your package.json and they'd let you know of any vulnerabilities, iirc. Or maybe they had a private repo of packages they'd checked? Can't remember.

[tomsmeding]

Possibly https://snyk.io/ ?

[illustrioussuit]

Theoretically, once something is updated all you would have to do is check the diff. Still tedious though.

[Y_Y]

I look forward to all the clever exploits that result from benign-looking code being added to benign-looking code.