Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I wasn't saying that Node itself is a security problem but rather that the community is biased towards rapid upgrades, trading long-term API stability for the ability to use new things quickly. That's a valid trade-off which a lot of people have enjoyed but it does mean that you need to think about whether you have the resources to keep surfing that wave when adding new dependencies. It does seem like the community is reconsidering that balance, too, after years of things like leftpad or worse have been highlighting how exposed most projects are to a single compromised maintainer.


I'm not saying you should blindly install the first package you find. My point is, when a program works, and it's maintainable, there's no problem.

So many message here are saying what could go wrong, but I have NEVER actually run into the issues people seem to imply.

In my opinion, your 'community' is just people who shout hard but hardly do any coding IMHO.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: