Hacker News new | past | comments | ask | show | jobs | submit login

Dev dependencies are as dangerous as production dependencies and always have been. Read this from 1984: https://www.archive.ece.cmu.edu/~ganger/712.fall02/papers/p7...

Those 1,568 create-react-app dependencies are maintained by people you have no formal relationship to, and are all versioned independently. Visual Studio is one monolithic package released by one of the largest companies on earth. Microsoft is not going to back door you and it has a huge incentive to stop anyone else from directly back dooring you via Visual Studio. On the other hand, the maintainer of the event-stream NPM package, with ~1.5 million weekly downloads, recently gave control to a stranger. They successfully back doored it and evaded detection for over a month. https://blog.npmjs.org/post/180565383195/details-about-the-e...

Is that any less true for completely unrelated pieces of software on the same machine? If you have a nice secure monolithic .NET project on your machine, and you also ran a create-react-app project on the same machine, shouldn’t you be just as worried?

Not really, at least IMHO. Not every vulnerability in [insert unvetted react dependency here] contains a host-targeting malware payload. In fact, I'd imagine those are the minority. Some concern is certainly warranted though.

now with the nuget ecosystem VS projects also depend on external dependencies you have no formal relationship to

yep. In theory a dotnet project pulling in nuget packages is in the same class as a node project pulling in NPM packages.

In practice, it's tremendously different.

As mentioned, a do-nothing react app has 1500 dependencies, all managed by who-knows-how-many different companies and individuals

A do-nothing aspnetcore app has maybe a few dozen dependencies, and with the exception of Newtonsoft.JSON, all of these are managed and supported by Microsoft.

When you scale that up to a real app, I don't even know what you get with Node/npm? 2500 dependencies? With aspnetcore you probably end up adding 10-20 more dependencies, and some of them are probably written by Microsoft.

So, your "potentially untrustworthy package count" in node is about 2000 packages, whereas for aspnet it's about 10 packages. You can review and pay attention to 10 packages. 2000? Not so much

Aside: A java/maven project probably falls somewhere in between, but closer to the aspnet scenario. Instead of a few dozen dependencies you might have 50, but it's still realistically possible to review them all, and they're far more likely to come from trusted publishers such as the Apache foundation.

That's a different issue. I was replying to the claim that Visual Studio itself vs. create-react-app itself is an "apples to apples comparison" (their words).

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact