So every version of every dependency of every package needs a review? It only ta... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		throwaway984393 on Nov 6, 2021 \| parent \| context \| favorite \| on: Embedded malware in RC (NPM package) So every version of every dependency of every package needs a review? It only takes one version of one dependency of any software package to be compromised by supply chain.

rndhouse on Nov 6, 2021 [–]

Each developer may choose to minimize the software dependency attack surface to a different degree.

Perhaps they would trust a package published by Google without a review. But would require a review before using a package from an indie developer.

Incremental decreses in the attck surface are valuable.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact