|
|
|
|
|
|
by cjbprime
1680 days ago
|
|
|
CVEs alert end users that they need to take action to apply updates. That's relevant when a specific npm package contained a known vulnerability. It's not relevant when the npm server contained a known vulnerability. There's nothing a user of npm can do to update the npm server. CVEs don't just mean "this is a big security problem". |
|
|
CVE: "the entire javascript/ruby/python development model is insecure"
affected: "the whole damn internet"
resolution:"rewrite the last 10 years of internet developmet from scratch"
not sure that's gonna happen