[HWR_14]

How do you police what your imports import? Serious question. Let's say I'm building a Discord app (as I want to do.) Well, either NPM or Python PIP to get one module - the discord module. But who knows how safe what it imports is. That's the point.

Are there stable dependencies from reputable companies that do the things I want without me vetting 10k submodule imports?

[grey-area]

It may require picking a different language with a different culture. JS badly needs a more capable standard library.

[tempodox]

That's the crux of the matter. Server-side you can, and should, choose a different platform than Node.js but for the browser we're all stuck with JS. A more capable standard library, where vetting everything would be much more feasible, would do much to improve the situation.

[skinkestek]

I somewhat naively assume that at least if I use plain React or Angular then

- someone at Facebook or Google has vetted the dependcy graph for those

- I also assume they have internal Snyk-like tools

- I also assume other users have similar tools

so someone should catch it.

When it comes to anything else I often look into what it pulls in.

Also I keep an eye on the yarn.lock-file in pull requests.

[filoeleven]

> so someone should catch it.

Just a week or two ago, a malicious NPM package was published which, for the hour or so that it was up, would be pulled in by any installation of create-react-app, since somewhere in the dependency tree it was specified with “^” to allow for minor updates.

Any machine that ran “npm -i” with CRA or who knows how many other projects during that hour may have compromised credentials.

1 hour to find and unpublish the malicious package is a fast turnaround time, so someone was watching and that’s great. But any NPM tree that includes anything other than fully-specified and locked versions all the way down the tree is just waiting for the next shoe to drop.

[HWR_14]

So my specific usecase (write a Discord bot) has the solution of "write everything from scratch" or "don't use JS"?

That's kinda what I assumed, but "only run code that have been signed off on by a major company" is kinda a shitty solution.

[ptx]

This requires that you're pulling in only exactly the same versions of those dependencies as those that Facebook and Google have vetted. Is there a way to do that?