Hacker News new | past | comments | ask | show | jobs | submit login

You run a private NPM mirror where you copy dependencies that you rely on, after auditing them (for code quality and licensing).



Realistically if someone were to sneak something in, what kind of audit would you need to be able to catch it?


Wouldn't just pinning the hash of a package be a better solution?


That’s probably fine from the security perspective, but the hash won’t make the package re-appear if it disappears out of nowhere. That’s the other benefit of a private/on-premesis mirror.


True. I work with PyPI and it's been extremely solid for years, so we tend to just not consider this a problem at all. Pipenv stores hashes for each package version as well, so you get the security aspect built in.

Pipenv has pretty much fixed Python packaging/dependencies, in my opinion. It's the all-in-one tool I've always wanted. If you do any Python work, try it, it's great.


Yarn caches locally, doesn't it?


Easiest solution without infrastructure imo is to vendor node_modules as a git submodule.

(Of course it's even easier to just add node_modules to the repo but that is messy).


and you better fork the git repo, otherwise the incident happening to npm can happen on github / whatever remote repo.


I don't know JS, but this sounds like a lot more work than just checking everything into your repo?


This, or if you have the money there are companies that do that for you.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: