Our great sponsors
-
InfluxDB
Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
-
cryptography
cryptography is a package designed to expose cryptographic primitives and recipes to Python developers.
-
WorkOS
The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.
It's really a problem that needs to be addressed. We desperately need something like https://github.com/npm/rfcs/issues/480 or https://github.com/npm/rfcs/discussions/80.
I hope that other languages with similar OSS ecosystems take note - I'm looking at you, crates.io - and incorporate some kind of crowd-sourced auditing or something.
It exists.
You don't get the benefit of "security" by using version ranges. If anything, your builds must produce same result whether they're built a year later, tomorrow, or next month, when built from same source configuration. In fact, it's less secure because you might get an update that breaks entire API or builds (See: cryptography library update breaking entire ecosystem. a library that must be as stable as possible. What if it packaged malware instead?)
There is an ongoing discussion about 2FA and possible bandaids for this sort of problem in the npm community forum: https://github.com/npm/feedback/discussions/588
https://deno.land is an alternative server-side JS runtime that is sandboxed by default.