2 comments

[ 3.1 ms ] story [ 21.1 ms ] thread
I'm not the author of that GH issue, but I do wonder if we can do better.

Do you all look away when you see a bunch of warnings about minor vulnerabilities in your codebase?

NPM audit is largely useless[0]. Most people don’t care that the CSS minifier can cause an out-of-memory when fed a bad class name, because that step happens during the build process and not with untrusted code. There isn’t a way to isolate only issues that can be exploited in the production code.

[0]: https://overreacted.io/npm-audit-broken-by-design/