I don't know enough about how npm listed vulnerabilities about dependencies, but I was wondering if there is a solution or a plan for such a solution. This would be required when deno gets a bit more mainstream and new vulnerabilities are discovered. Then there has to be a system to notify the users of such issues for them to take action.
Just a thought.
maximousblk
All 4 comments
As I commented there, we should consider documenting #5161 for this use.
nayeemrmn
on 25 May 2020
There isn't a solution nor a plan for it. It's certainly useful functionality. I'll leave this issue marked as feature, tho I'm not sure if this belongs in the CLI itself or should be done by source repositories.
ry
on 25 May 2020
In order for this to work, there needs to be a way to mark certain versions as deprecated or vulnerable. This is impossible to do by editing the file itself due to the integrity check.
A new module can be made for assigning files as insecure.
This would work like this:
In a separate file, an array of insecure versions are listed.
Then in the main module, the "security check function" is imported from the "security" module and passed in the current version of the module. If it matches any of the listed versions, it logs a message about the vulnerability listed in the separate file.
One thing to consider about this solution is that it adds to the "boilerplate noise".
That's just a quick little workaround but I'm sure there can be better solutions.
Edit: backed off from the idea of a new standard module.
maximousblk
on 25 May 2020
here is an example: maximousblk/audit
maximousblk
on 26 May 2020
Related issues
sh7dm
路
3Comments
xueqingxiao
路
3Comments
CruxCv
路
3Comments
ry
路
3Comments
watilde
路
3Comments
Most helpful comment
There isn't a solution nor a plan for it. It's certainly useful functionality. I'll leave this issue marked as feature, tho I'm not sure if this belongs in the CLI itself or should be done by source repositories.