You're right! That works great for the package itself, and it's what I do. But w... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		diiq on June 29, 2020 \| parent \| context \| favorite \| on: Worrying about the NPM Ecosystem You're right! That works great for the package itself, and it's what I do. But will you also chase down and open on github all that package's dependencies, and their dependencies, etc? It is that, more recursive problem that I'm trying to point at. If you are content to trust that the package maintainer chose their dependencies wisely, then this probably won't seem like a big deal -- and that's ok! Different projects have different requirements for how they assess third-party code.

TehShrike on June 29, 2020 [–]

I do check out dependencies, yeah – Octolinker makes it easy to do due diligence on reasonable libraries.

If it has a ton of dependencies, then I don't want to take it on/maintain it anyway.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact