Hacker News new | ask | show | jobs
by dmitriid 1624 days ago
> At dev time, you generate a lock file of the hashes of your dependencies.

So. At dev time. You download random files from random urls via Deno.

Compared to: At dev time you download files from a trusted repository. https://news.ycombinator.com/item?id=29871936
1 comments
Longwelwind 1624 days ago
NPM is not a trusted repository, I think. There are no checks done to the content of the packages uploaded by users. It's up to you to make sure that what you add to your project doesn't contain malware/vulnerabilities.

If you use a lockfile, downloading a package from NPM or directly using a random URL is conceptually the same, since they are both untrusted sources. Having a lockfile will ensure that if you download a dependency to review it for vulnerabilities, later re-downloads of the dependency will not have changed files.

link
dmitriid 1624 days ago
> NPM is not a trusted repository

It's not. But it's rather trivial to run your own registry, and many (most?) companies do exactly that.

> It's up to you to make sure that what you add to your project doesn't contain malware/vulnerabilities.

That's why, again, many companies run their own registries, and don't download random files from the internet.

> Having a lockfile will ensure that if you download a dependency to review it for vulnerabilities, later re-downloads of the dependency will not have changed files.

And to generate that lockfile... you need to first download a random file from the internet. Got you.

link