Hacker News new | ask | show | jobs
by TheRealPomax 1867 days ago
it's also very insecure, because you have no guarantee that the version of `serve` that gets pulled down has been vetted and is verified exploit-free, unless you tell npx exactly which version should be used, at which point things start become less easy and more "having to remember which versions are safe".
2 comments
antihero 1865 days ago
I'd love to audit every bit of code that runs on my machine but I also do not have a billion hours. Perhaps this is worse in JS land (it is) but this is a different problem to solve.
link
closeparen 1867 days ago
Which software do you run that is vetted and verified exploit-free?
link
TheRealPomax 1865 days ago
What a lovely strawman counter-argument you're attempting.

Shall we instead focus on installing with SHA verification based on CVE? Let's do that, that sounds pretty sensible instead of just throwing around yet another thinly disguised "letting the perfect be the enemy of good".

link
closeparen 1865 days ago
You brought up this incredible standard, "vetted and verified exploit free." I would like to know how it is achieved.
link