Hacker News new | past | comments | ask | show | jobs | submit login
NPM “foreach” module maintainer's email domain expired (mastodon.social)
10 points by bluehatbrit on May 11, 2022 | hide | past | favorite | 1 comment



It is one of the reason why I have a strict policy regarding dependencies:

1. Think twice before introducing a third-party dependency (including dev dependency).

2. Favor trusted dependencies with a good dependency policy.

3. Avoid dependencies with tens/hundreds of third-party (transitive) dependencies.

4. Audit mid-trusted dependencies (including their transitive dependencies).

5. Use an exact version for mid-trusted dependencies in order to avoid non-audited updates (=x.y.z).

6. Use scoped packages for new projects in order to define trust boundaries.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: