Y
Hacker News
new
|
ask
|
show
|
jobs
by
Vinnl
1814 days ago
If there's a vulnerability in Webpack (a devDependency) that injects malicious code into your bundle, `npm prune --production` won't save you.
1 comments
remram
1814 days ago
This is not a vulnerability (ie. security bug) it's an attack (ie. malicious).
link
Vinnl
1814 days ago
It doesn't really matter how you call it; the problem is that there could be CVE's in your devDependencies that affect your production build, and pruning those dependencies after using them to create that build doesn't remove the risk.
link