Ask HN: How are you securing your NPM dependencies?
2•madospace•1h ago
There are few obvious things like adding min-release-age, ignore-scripts and save-exact. What other practice we can follow to ensure we are minimizing the damage, especially with chained dependencies.
Comments
benoau•54m ago
Freezing the versions in package.json and generally not revisiting unless they have vulnerabilities or there's a compelling reason to update a specific package (which is rare).
madospace•33m ago
Curious to know how are you going to ensure right security patches are getting updated in-time.
Most of my troubles are that I have fixed version of packages that are older than a year old. Now I am scared to update anything :)
benoau•54m ago
madospace•33m ago