alt Hacker NewsBut it goes the other way too. If there's a security vulnerability that was fixed in a later version, you want the system to automatically pick that up and apply it for you in an ideal scenario.
Replies
hsbauauvhabzb • today at 12:12 AM
At this point, the risk of a compromised package outweighs the risk of an upstream vuln that actually matters. Npm audit is full of junk like client side redos vulns, you could probably ignore 90%+ of the reports and still be secure against the majority of of-concern attack classes.
bfivyvysj • today at 12:10 AM
Why would you patch a security vuln in a later version? Should be patched in all versions.. that's what semver is for.
➕ show 4 replies
kronks • today at 12:09 AM
[dead]
Even with ^ you won't get an updated version until somebody runs an install and updates the lockfile.
We have things like dependebot for this.
https://docs.github.com/en/code-security/tutorials/secure-yo...