Hacker News new | ask | show | jobs
by typical182 1534 days ago
That's not correct. You can unilaterally decide to update the version of E without waiting for anyone. Alternatively, if only C for example decides to update their required version of E, you would get that version of E if you updated your version of C (directly or indirectly), without needing to directly do anything with E yourself.

Slightly longer explanation of the mechanics here: https://news.ycombinator.com/item?id=30871730

The best complete explanation is probably here: https://research.swtch.com/vgo-principles
1 comments
woojoo666 1534 days ago
But wouldn't that have the same issue then? Developers decide to update their dependencies to patch any security vulnerabilities, and wind up adding installing node-ipc's malicious update
link
hashhar 1533 days ago
The difference is that it's an explicit choice instead of other package managers who'd happily install latest compromised versions of packages by default.
link
woojoo666 1533 days ago
But if its a manual explicit choice, that adds more friction to these patches, and many developers may not update them at all. It's a trade off
link
morelisp 1533 days ago
A manual choice can be easily automated; an automatic choice can be difficult-to-impossible to de-automate.
link
woojoo666 1533 days ago
It is trivial to manually upgrade dependencies in NPM. You just use `npm update <package>` with an optional version number if you want. And upgrading all dependencies of a Go package is also a single command. So honestly it seems like there is very little difference. My main point here is the trade-off. Either you reduce the friction for upgrades, and run the risk of malicious upgrades like node-ipc. Or you increase the friction, and run the risk of security vulnerabilities being unpatched in many projects.

I personally prefer the former. Encourage upgrades, but then NPM should also have a separate repository for community verified / trusted packages to reduce the chance of a random single developer damaging the entire ecosystem (left-pad, node-ipc, etc)

link
morelisp 1533 days ago
If I set up a new Node project I get the highest 'supported' version of whatever. If I add a new dependency I get the latest version of any transitive dependency I didn't already have. As far as I know that's impossible to disable. That's the automated upgrade I mean.
link