Hacker News new | ask | show | jobs
by jmull 1867 days ago
> ...arguably less secure as it is downloading code from the internet...

Don't essentially all the options involve code downloaded from the internet? And you have to trust the source that it isn't malware or too buggy or insecure?

Are you making a case that the maintainers of this package aren't trustworthy? Or maybe the operators of npmjs.com?

I'm just not understanding the claim this is less secure than various other options.
1 comments
filleduchaos 1867 days ago
It feels somewhat disingenuous to rephrase "is downloading" as "downloaded" as though they mean the same thing.
link
jmull 1867 days ago
How does when you happen to download something affect how secure it is?

By default -- presumably the most common case by far -- "npx serve" will download the most recent stable build. But why should that be less secure than some previous version?

New vulnerabilities could have been introduced. But, of course, old ones could have been resolved.

If you generally trust the source to be working in good faith and have an adequate level of competence, I would expect a given package/tool tends to become more secure over time, so taking the latest is a generally good strategy (not perfect of course) compared to running a version that is out-of-date to an arbitrary degree.

Of course, if you don't generally trust the source to be working in good faith or have an adequate level of competence, then you should not use the package/tool no matter when it was built or when you downloaded it.

I'm not seeing the logic here.

link