Hacker News new | ask | show | jobs
by stephenr 15 days ago
> Most of the recent supply chain attacks specifically target stealing secrets from development environments.

If your secrets in a dev environment can actually do any damage if leaked, you're doing something very fucking wrong.

> React's last minor version bump included 100 files and ~5k changes.

So you're choosing over engineered dependencies and then complaining they're too big.

Somehow I think the problem, as usual, started with the meat sack on the chair.
1 comments
MeetingsBrowser 15 days ago
I think we may be talking past each other at this point, but secrets from a dev env can be more valuable than secrets from a production env.

With things necessary for a dev env, like read/write access to source control, attackers can get access to internal data, and push malicious code that gets run in a prod env anyway.

If you want to make the claim that using react is an insane indefensible choice from a security standpoint, you are being idealistic at best.

Telling people not to use react does not help anyone, and that type of recommendation causes reputational damage to the security industry.

link
stephenr 15 days ago
We are clearly talking about different things.

Access to source control is required on a developer workstation.

It is not required inside an application environment on that workstation (eg a VM or other such system that both provides a standard environment and creates separation)

I'm not making any claims about the security of react.

link