[preinheimer]

Honestly, this hit me.

I'm not a react developer, I was experimenting with it for a new project. I finished the tic-tac-toe tutorial, then tried to throw bootstrap on top to build from there. It told me there was 97 vulnerabilities (85 moderate, 12 high)...

I just deleted the directory and went back to vanilla JS. This is a fun side project, I don't need that.

My tweet about it: https://twitter.com/preinheimer/status/1402785757962592256

[alerighi]

That is exactly the point of the article. Every JS developer knows that these numbers are stupid and doesn't look at them.

However a beginner that doesn't know what impact they have of course is scared if when installing a library it tells you that there are all that vulnerabilities.

[IggleSniggle]

As a beginner _just to npm_ I can imagine getting totally freaked out and worried that my whole system was _potentially_ compromised after seeing a “Critical” vulnerability reported as installed on my system.

After all, npm can execute any script with the users permissions on install…except often (compared to bash) it’s less easily inspected due to the common use of nested dependencies!

I, too, would delete my node_modules, and if I even wanted to move forward at that point, would probably waste at least half a day looking up the Critical vulns and discovering that they are probably not at all critical in my particular scenario. Like not at all for the 99.99% use case.

After experiencing something like that, it’s just like the article says. “The boy who called wolf.” Really terrible use of the labels “Critical” and “High”. The labels are fine, but the way they are applied is just stupid.

[stjohnswarts]

Who doesn't run an npm based app in a jail/vm/etc and as a regular user with any more than the bare minimum access needed to get it's job done?

[IggleSniggle]

I would imagine installing directly as a regular user is the _typical_ approach, and even more-so for beginners.

I don’t see any recommendation in the nodejs or npm docs for any other approach.

It may be commonsense and obvious to you, but I would be really surprised if commonsense and common practice overlap significantly in scenarios like this for all but the most security conscious.

[jmull]

FYI, it's probably not react-bootstrap or bootstrap or any of their dependencies being flagged. It's some of the other ~2K packages already installed.