CVEs alert end users that they need to take action to apply updates. That's rele... | Hacker News

Hacker News new | past | comments | ask | show | jobs | submit

login

cjbprime on Nov 16, 2021 | parent | context | favorite | on: Security issue related to the NPM registry

CVEs alert end users that they need to take action to apply updates. That's relevant when a specific npm package contained a known vulnerability. It's not relevant when the npm server contained a known vulnerability. There's nothing a user of npm can do to update the npm server.

CVEs don't just mean "this is a big security problem".

marcus_holmes on Nov 17, 2021 [–]

hehe...

CVE: "the entire javascript/ruby/python development model is insecure"

affected: "the whole damn internet"

resolution:"rewrite the last 10 years of internet developmet from scratch"

not sure that's gonna happen

rbanffy on Nov 17, 2021 | [–]

At least the npm packages outside their telemetry horizon should be updated immediately.

Join us for AI Startup School this June 16-17 in San Francisco!
Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact