'npm audit' alternative #5840
Comments
|
As I commented there, we should consider documenting #5161 for this use. |
|
There isn't a solution nor a plan for it. It's certainly useful functionality. I'll leave this issue marked as feature, tho I'm not sure if this belongs in the CLI itself or should be done by source repositories. |
|
In order for this to work, there needs to be a way to mark certain versions as deprecated or vulnerable. This is impossible to do by editing the file itself due to the integrity check. A new module can be made for assigning files as insecure. This would work like this: In a separate file, an array of insecure versions are listed. Then in the main module, the "security check function" is imported from the "security" module and passed in the current version of the module. If it matches any of the listed versions, it logs a message about the vulnerability listed in the separate file. One thing to consider about this solution is that it adds to the "boilerplate noise". That's just a quick little workaround but I'm sure there can be better solutions. Edit: backed off from the idea of a new standard module. |
|
|
|
Discussion moved to #8699 |
I don't know enough about how npm listed vulnerabilities about dependencies, but I was wondering if there is a solution or a plan for such a solution. This would be required when deno gets a bit more mainstream and new vulnerabilities are discovered. Then there has to be a system to notify the users of such issues for them to take action.
Just a thought.
The text was updated successfully, but these errors were encountered: