|
|
|
|
|
|
by cphoover
1814 days ago
|
|
|
So currently the algorithm is... check (dev)Dependencies and descendent/transient dependencies to see if they exist in a security advisory database if they do, highlight and surface them to the user. What are alternatives? A way to ignore or mark a dependency as safe? Could this be abused if an author can just mark a dependency as safe? Or perhaps, actually analyze syntax with a tool like ESLint (parse -> AST -> validate) to check that dangerous parts of libraries are not in use? This solution comes with it's own complications. Who is authoring these validations? Perhaps there are other strategies I'm not aware of. |
|
|