pull down to refresh
55 sats \ 10 replies \ @WeAreAllSatoshi 14h \ parent \ on: NPM security: preventing supply chain attacks | Snyk (2022) security
Yes? Either they didn't have it in their lockfile, or they installed the dependency new while the malicious version was the latest, or they did an upgrade while it was live.
Otherwise, you'd see changes in lockfiles all the time as any number of transitive dependencies are updated within semver constantly.
reply
Makes sense!
I'm just still confused because the cause doesn't seem to match the amount of confusion. How this can happen (incomplete lock file) doesn't seem to match how often it seems to happen (the internet is full with people complaining about it).
Did all of them also had someone who forget to check in changes to package-lock.json? How else could it happen to have an incomplete lock file? Who modifies their package-lock.json manually or undoes the changes to it (
git checkout package-lock.json) and then wonders why npm install changes it again or ...?But maybe I'm contributing to the confusion around it right now haha
I wish the documentation was more clear when
npm install changes package-lock.json. I don't see it mentioning what happens if the lock file is incomplete.reply
reply
ROFL - yep
reply
reply
I'm not a professional programmer, but when I worked part time at a tech company I was surprised that I was better at it than some of the full-time programmers there :\
reply
reply
That's... kinda sad? The idealistic part of me would like to believe that sucking is due to skill/personality mismatch, rather than something inherent about the person, and that everyone can find a niche that they don't suck at.
reply