Hacker News new | ask | show | jobs
by kevincox 1864 days ago
Of course this requires internet access. It is also arguably less secure as it is downloading code from the internet and means that you are trusting the latest code from a handful of people https://www.npmjs.com/package/serve
3 comments
eyelidlessness 1863 days ago
Worth noting, because it’s non-obvious but does address some of the concern around npx, that it resolves to any locally available version using standard Node module resolution, then falls back to downloading from NPM. And in the next version it will warn before downloading.
link
antihero 1858 days ago
I mean as a JS developer I am already kind of desensitized to taking my life in my hands when I do pretty much anything.
link
jmull 1863 days ago
> ...arguably less secure as it is downloading code from the internet...

Don't essentially all the options involve code downloaded from the internet? And you have to trust the source that it isn't malware or too buggy or insecure?

Are you making a case that the maintainers of this package aren't trustworthy? Or maybe the operators of npmjs.com?

I'm just not understanding the claim this is less secure than various other options.

link
filleduchaos 1863 days ago
It feels somewhat disingenuous to rephrase "is downloading" as "downloaded" as though they mean the same thing.
link
jmull 1863 days ago
How does when you happen to download something affect how secure it is?

By default -- presumably the most common case by far -- "npx serve" will download the most recent stable build. But why should that be less secure than some previous version?

New vulnerabilities could have been introduced. But, of course, old ones could have been resolved.

If you generally trust the source to be working in good faith and have an adequate level of competence, I would expect a given package/tool tends to become more secure over time, so taking the latest is a generally good strategy (not perfect of course) compared to running a version that is out-of-date to an arbitrary degree.

Of course, if you don't generally trust the source to be working in good faith or have an adequate level of competence, then you should not use the package/tool no matter when it was built or when you downloaded it.

I'm not seeing the logic here.

link