Slashdot Mirror
Half of Audited JavaScript Projects Contained a Vulnerability (theregister.co.uk)
NPM Inc. added a feature to JavaScript's package manager this spring letting users type npm audit fix to replace old, insecure project modules -- and the Register asked them how it's going?
Since April, according to the company, npm users have run 50 million automatic scans and have deliberately invoked the command 3.1 million times. And they're running 3.4 million security audits a week. Across all audits, 51 per cent found at least one vulnerability and 11 per cent identified a critical vulnerability. In a phone interview with The Register, Adam Baldwin, head of security at NPM, said he didn't have data on how many people are choosing to fix flagged flaws. "But what we've seen from pull requests suggests it's gaining traction," he said.
Incidentally, npm's thinking about security is finding similar expression elsewhere in the industry. Earlier this year, GitHub began alerting developers when their code contains insecure libraries. During a recent media briefing, GitHub's head of platform Sam Lambert said he hoped that the process could be made more automated through the mechanized submission of git pull requests that developers could simply accept to replace flawed code.
Baldwin said NPM might implement something similar, an intervention rather than a simple notification. "Currently it's not proactive policy enforcement," he said. "But it's something we're considering." That would appeal to NPM's growing enterprise constituency. "Enterprises for sure want the compliance and control," said Baldwin. "They want that ability to know the open source they're bringing in is safe or meets a certain set of criteria."
Wednesday NPM added "Report a Vulnerability" buttons to every NPM package web page, and also started checking new passwords against the "Have I Been Pwned?" database to spot already-compromised passwords. "The tools for avoiding problems and fixing them are getting better," writes the Register. But it'd be interesting to hear from Slashdot readers.
How do you feel about code repositories automatically offering replacements for insecure libraries?
Incidentally, npm's thinking about security is finding similar expression elsewhere in the industry. Earlier this year, GitHub began alerting developers when their code contains insecure libraries. During a recent media briefing, GitHub's head of platform Sam Lambert said he hoped that the process could be made more automated through the mechanized submission of git pull requests that developers could simply accept to replace flawed code.
Baldwin said NPM might implement something similar, an intervention rather than a simple notification. "Currently it's not proactive policy enforcement," he said. "But it's something we're considering." That would appeal to NPM's growing enterprise constituency. "Enterprises for sure want the compliance and control," said Baldwin. "They want that ability to know the open source they're bringing in is safe or meets a certain set of criteria."
Wednesday NPM added "Report a Vulnerability" buttons to every NPM package web page, and also started checking new passwords against the "Have I Been Pwned?" database to spot already-compromised passwords. "The tools for avoiding problems and fixing them are getting better," writes the Register. But it'd be interesting to hear from Slashdot readers.
How do you feel about code repositories automatically offering replacements for insecure libraries?
No thanks
is shit. what did you expect?
This will be abused, but how?
More secure than Windows.
Javascript in the browser IS the vulnerability.
One, big, fat, grinning, vulnerability.
I seriously doubt only half. better title "JavaScript auditing so poor that half are given a clean bill of health"
Stop using JavaScript to do backend operations!
Anons need not reply. Questions end with a question mark.
man you need to ease back on the drugs.... or perhaps up the dose.
The problem is not that the source code is open per-say but that it gets included wantonly to save cost or for expediency.
You usually have good stuff to say worth reading. That last sentence was moronic though. Stick to tech and stay out of politics.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
These apk trolls are weak and lame, I want the actual apk back dammit. I'm honestly beginning to think that real apk has kicked the bucket, or just got fed up of /.
This tagline was transcoded to result in at least one smirk. If you experience failure to smirk, please consult your Gen
And then cue the confusion from all the people who think their code can't be insecure because they are using a safe language, not like C.
A while ago someone said here that "buffer overflow exploits are the low-hanging fruit of hackers, once they are gone there is plenty of other stuff." And that person was right.
"First they came for the slanderers and i said nothing."
Half of audited JavaScript projects *don't* contain a vulnerability. Seems like a win.
It must have been something you assimilated. . . .
Never go full retard...
Ray Morris pushed the nazi white supremacist lie shamelessly, the faggot has zero honor or intellectual integrity - https://tech.slashdot.org/comments.pl?sid=12520486&cid=57184660
So they will send my plain text or unsalted & hashed password over the TLS-wire to the "trusted" pwned DB for a match?
No thanks!
I lick up nun farts.
My experience is that large corporations want security and compliance. What they don't want to do is actually change anything to achieve it, especially if that changing happens on anything other than their schedule. Updating dependencies to fix security issues means having to revalidate and recertify the entire software stack, after all, and they want to avoid that at all costs. They'll only grudgingly do it when some outside agency credibly threatens them with fines and penalties that exceed the cost of the recertification. This is particularly silly since if you keep up with updates regularly it's a relatively painless process that usually doesn't break anything and if it does you've got plenty of time to fix it on your schedule. It only becomes an issue when you've avoided updates for so long that your versions of the dependencies are obsolete/unsupported and the current versions have major API redesigns or have been completely replaced by something with a different API. That's when it gets painful.
This is what happens when maintenance is considered a cost center rather than a necessary aspect of earning revenue. It's like considering janitorial services to be a cost center: pretty quick your business gets filthy and nobody wants to come in the door.
APK is still around, but why do you seem to like him so much? He's a spammer, a bigot, and is incredibly hateful toward others. I just don't understand why you'd want either the fake APK or the real APK around.
All of this is extremely true, and he's been incredibly hateful toward me for many years, but something about triggering his ire reminds me that I'm still alive!!
Successfully winding up a troll like apk is more satisfying than it should be. I don't know why, but there you have it.
This tagline was transcoded to result in at least one smirk. If you experience failure to smirk, please consult your Gen
Hey, things are looking up for JS!
JavaScript itself is a vulnerability. Why do I have domain blocking of CSS but not JS in browsers?
If you are having trouble figuring out what it means to force someone to do something they don't want to do, I suggest you look at the example of an old white male Republican telling young women what to do with their bodies. Hint: When it's their mistress, they ask her to get an abortion, when it's anyone else they tell them they have to go full term.
Ray Morris pushed the nazi white supremacist lie shamelessly, the faggot has zero honor or intellectual integrity - https://tech.slashdot.org/comments.pl?sid=12520486&cid=57184660
Impersonating me? Get a life already, freak.
APK
P.S.=> Unbelievable anyone wastes their life & time the way you do impersonating me & for what? Does it STOP me from posting?? No... apk
Impersonating me? Get a life already, freak!
APK
P.S.=> Unbelievable anyone wastes their life & time the way you do impersonating me & for what? Does it STOP me from posting?? No... apk
Impersonating me? Get a life already, freak.
APK
P.S.=> Unbelievable anyone wastes their life & time the way you do impersonating me & for what?? Does it STOP me from posting??? No... apk
This is one of main reasons why I have NoScript installed on all my browsers, and if a browser isn't supported by NoScript I don't use that browser.
Khazar Talmudic Jews believe this of all they call goyim/gentiles (any non-jew): Jews = biggest racists of all (for which they "jew guilt" you for no less! They're hypocrites known as thieves all thru history or were Argentines in the 1940 under Peron, Spanish inquistion, France (1306), Egypt (despoiled/robbed by jews), Arabs (pre & post 1948), England (1330 Edward longshanks), Romans under titus, Russia pogroms and Germany who got rid of them from their nations nazi german's too? No. Driven into DESERTS ages ago! Don't wonder why after all those exilings above.
Should anyone doubt any of this see Jacob Javits' crony Rosenthal spill the beans on it https://www.youtube.com/watch?v=D4zMVZ8HnFI/ where he called all Christianity fools for helping Israel and the biggest scam of all time per their beliefs below from their Talmud.
This is the province of the synagogue of Satan (Pharisees whom Jesus Christ himself kicked to the curb out of the temple & they killed him for it. Jeremiah did the same to them also + the Essenes could not stand them either breaking away from the pharisee corruption):
Mark Zuckerberg stole the Winklevoss twins' code for Fakebook (figures as he is a thieving low jew too).
Maria Abramovic satanist spirit cooker pal of Hillary Clinton the Voodoo queen is a jew https://www.google.com/search?...
Like Hillary Clinton's mentor Saul Alinsky author of rules for radicals book dedicated to Lucifer
"Most Jews do not like to admit it, but our god is Lucifer Â- so I wasnÂ't lying Â- and we are his chosen people. Lucifer is very much aliveÂ" Harold Rosenthal http://www.thetruthseeker.co.u...
Jewish rabbi openly admits to satan worship use white children's blood they kill for passover bread, infiltrating and subverting the catholic church, creating the Jesuit order https://www.youtube.com/watch?... and https://www.youtube.com/watch?...
Barbara Spectre, a jew, tells everyone it's jews orchestrating the muslim migrant problem in Europe https://www.youtube.com/watch?v=MFE0qAiofMQ/ . No migrant raping of women in Poland. Tons in Sweden. Do the math. Use common-sense. This is to get muslims and other goyim/gentiles to wipe one another out as incompatible cultures that will clash and always have.
Rabbi A. Finkelstein ADMITS their greatest enemies are ARABS and WHITES (blacks too) whom they wish to kill one another in a 'theater of war' which they find AMUSING https://www.youtube.com/watch?...
Finkelstein also admits JEWS DID 9/11 (perpetrated by the Mossad & Bebe Netanyahu of ISRAEL) https://www.youtube.com/watch?... profiting by it (and that 3,000 jews employed there did not show up for work that day knowing about it beforehand).
Finkelstein also admits JEWS are going to destroy the U.S. Dollar and dumping it for other world currencies and gold to destroy the United States.
George Soros who funds groups to create division in the USA?? A jew. One who sold his own jew people into death for the nazis.
Zucker now FIRED @ CNN is another frying publicly for lying about "russians" and John Bonifield a producer @ CNN said it is bs. Van Jones did also.
Bernie Madoff (who made off with everyone's money, especially construction union pensions) shows the thieving nature of the JUDEN!
Eric Schmidt had to step down @ JEWgle (a jew).
Adam Schiff (gosh s