|
|
|
|
|
|
by scottlamb
1814 days ago
|
|
|
> Or do commenters here actually believe that npm audit should treat a DoS of a development machine as a non-vulnerability? I believe that npm audit should treat a DoS of a development machine by a trusted developer as a non-vulnerability. "Code I (or a fellow committer) wrote uses a lot of CPU" isn't a vulnerability. If I care to prevent this, I should run said code within a cgroup with limited resources, not panic about theoretical expense in one part of the codebase while necessarily allowing arbitrary execution elsewhere. "npm audit" is crying wolf, just as the author said. I like the proposal [1] near the end: "If I own an npm package I need to be able to tag a certain transitive vulnerability category as not affecting my usage of that transitive package." This is particularly important for npm given things like create-react-app but would also be a good idea for "cargo audit" and such. [1] https://twitter.com/dan_abramov/status/1412380714012594178 |
|
|