Slashdot Mirror
Half of Audited JavaScript Projects Contained a Vulnerability (theregister.co.uk)
NPM Inc. added a feature to JavaScript's package manager this spring letting users type npm audit fix to replace old, insecure project modules -- and the Register asked them how it's going?
Since April, according to the company, npm users have run 50 million automatic scans and have deliberately invoked the command 3.1 million times. And they're running 3.4 million security audits a week. Across all audits, 51 per cent found at least one vulnerability and 11 per cent identified a critical vulnerability. In a phone interview with The Register, Adam Baldwin, head of security at NPM, said he didn't have data on how many people are choosing to fix flagged flaws. "But what we've seen from pull requests suggests it's gaining traction," he said.
Incidentally, npm's thinking about security is finding similar expression elsewhere in the industry. Earlier this year, GitHub began alerting developers when their code contains insecure libraries. During a recent media briefing, GitHub's head of platform Sam Lambert said he hoped that the process could be made more automated through the mechanized submission of git pull requests that developers could simply accept to replace flawed code.
Baldwin said NPM might implement something similar, an intervention rather than a simple notification. "Currently it's not proactive policy enforcement," he said. "But it's something we're considering." That would appeal to NPM's growing enterprise constituency. "Enterprises for sure want the compliance and control," said Baldwin. "They want that ability to know the open source they're bringing in is safe or meets a certain set of criteria."
Wednesday NPM added "Report a Vulnerability" buttons to every NPM package web page, and also started checking new passwords against the "Have I Been Pwned?" database to spot already-compromised passwords. "The tools for avoiding problems and fixing them are getting better," writes the Register. But it'd be interesting to hear from Slashdot readers.
How do you feel about code repositories automatically offering replacements for insecure libraries?
Incidentally, npm's thinking about security is finding similar expression elsewhere in the industry. Earlier this year, GitHub began alerting developers when their code contains insecure libraries. During a recent media briefing, GitHub's head of platform Sam Lambert said he hoped that the process could be made more automated through the mechanized submission of git pull requests that developers could simply accept to replace flawed code.
Baldwin said NPM might implement something similar, an intervention rather than a simple notification. "Currently it's not proactive policy enforcement," he said. "But it's something we're considering." That would appeal to NPM's growing enterprise constituency. "Enterprises for sure want the compliance and control," said Baldwin. "They want that ability to know the open source they're bringing in is safe or meets a certain set of criteria."
Wednesday NPM added "Report a Vulnerability" buttons to every NPM package web page, and also started checking new passwords against the "Have I Been Pwned?" database to spot already-compromised passwords. "The tools for avoiding problems and fixing them are getting better," writes the Register. But it'd be interesting to hear from Slashdot readers.
How do you feel about code repositories automatically offering replacements for insecure libraries?
No thanks
is shit. what did you expect?
This will be abused, but how?
More secure than Windows.
Javascript in the browser IS the vulnerability.
One, big, fat, grinning, vulnerability.
I seriously doubt only half. better title "JavaScript auditing so poor that half are given a clean bill of health"
See subject: Your MASSIVE FAIL in this life is you're nothing more than a chattering little do-nothing "ne'er-do-well" online & you know it...
* Is that the best your "phantasyland FAKE NAME" (for your fake lie of a so-called 'life') can manage?
When a FAKE NAME do nothing like YOU does better than I have? Then talk (you're all talk & no action)...
You can't help you're an immature little BUTTHURT no-mind, lol! I blew you away in TONS OF PLACES and easily dust your no-mind bullshit blatherings.
APK
P.S.=> The TRUE PRICE of your UNIDENTIFIABLE FAKE NAME do-nothing selves like you that I can ALWAYS CASH IN ON (lol) is that I can use FACT/TRUTH on them to SHATTER their all TOO fragile delusional egos that they actually know A DAMN THING in computing, lol... apk
Stop using JavaScript to do backend operations!
Anons need not reply. Questions end with a question mark.
See subject & you do-nothing soyboy "ne'er-do-wells" are too COWARDLY and EFFEMINATE to ban bump stocks. This would be REAL SECURITY that would put an end to mass shootings. The estrogen in soy milk makes all of you too cowardly to BAN BUMP STOCKS.
* The NRA is supported by George Soros, the Russian government, Jews, and their allies in the Vatican. The Vatican has MEDDLED in our elections to support Hillary Clinton and OPPOSE any form of GUN CONTROL. They work with the Jewish elites in the United States to add SOY MILK to our foods, containing ESTROGEN and making our men EFFEMINATE.
A ban on bump stocks would have STOPPED many recent MASS SHOOTINGS including at the Waffle House, Las Vegas, Parkland, and so many other places. It is TRULY PATHETIC that you SOYBOY WEASELS insist on keeping bump stocks legal. A ban on bump stocks will STOP MASS SHOOTINGS just like my HOSTS FILE ENGINE is a cure-all for INTERNET SECURITY.
Losers like Coren22, arth1, Zontar The Mindless, AssFux (lol), and so many more of you UNIDENTIFIABLE FAKE NAME losers attack me relentlessly for telling the TRUTH. It takes a REAL MAN like me to continually dust all of you you weasels, while you LIE and ACCUSE me of evil criminal acts. You are INCAPABLE of accepting the TRUTH that BUMP STOCKS MUST BE BANNED.
APK
P.S.=> I will continue to DUST your feeble arguments and SWOOP IN wherever you UNIDENTIFIABLE WEASELS keep lying and trolling. You are truly a sad and pathetic sight to see... apk
See subject & APK Hosts File Engine 2.0++ 64-bit for Linux h t t p : / / a p k . i t - m a t e . c o . u k / A P K H o s t s F i l e E n g i n e F o r L i n u x . z i p (remove spaces between characters & download).
Yields more security/speed/reliability/anonymity vs. any SINGLE solution (99% of threats = hostnames vs. IP address that most firewalls use) more efficiently/FASTER + NATIVELY 4 less!
(Vs. "Bolt on 'MoAr' illogic-logic" competitors slowing you, hosts speed you up 2 ways (adblocks + hardcodes u spend most time @) vs. competition loaded w/ bugs (DNS/AntiVir) + their overheads (messagepass ('souled-out' to advertiser addons) + filtering drivers) & their complexity leads to exploitation).
* ONLY 1 of its kind in GUI on Linux/BSD!
(Much better vs. Windows model in speed & efficiency + new "merge" feature)
APK
P.S.=> I use Firefox on Linux & it works like a DREAM w/ hosts. You stupid níggers can benefit from my greatness as God's gift to you... apk
Your software is just fine - well written, functional... I'm going to continue using the Host File Engine by mmell February 17, 2017
Your premise that hostfiles are a good way to deal with advertising and malvertising is quite valid - by JazzLad April 20, 2016
his hosts program is actually pretty good by xenotransplant August 10 2015
his hosts tool is actually useful for those cases in which one does indeed want to locally block stuff outright while consuming minimum system resources by alexgieg September 25 2015
I like your host file system by Karmashock September 09 2015
that APK guy, I use his host file by rogoshen1 Tuesday March 03, 2015
I personally use a HOSTS file blocker produced from a genius called APK by 110010001000 October 27 2017
* Best part = Linux 64-bit model's faster/more efficient (2x work in 1/2 the time)
APK
P.S.=> For a faster/safer/more reliable internet. Even you stupid níggers can benefit from my greatness. God's gift to Slashdot will NEVER be silenced... apk
You don't know the difference between offering people something useful they'll likely want (npm) vs forcing upon people what the company wants (Windows)?
If you can't distinguish between offering something the person wants vs forcing them to take what someone else decides to make them do, I'm going to guess you're a Democrat?
The problem is not that the source code is open per-say but that it gets included wantonly to save cost or for expediency.
These apk trolls are weak and lame, I want the actual apk back dammit. I'm honestly beginning to think that real apk has kicked the bucket, or just got fed up of /.
This tagline was transcoded to result in at least one smirk. If you experience failure to smirk, please consult your Gen
And then cue the confusion from all the people who think their code can't be insecure because they are using a safe language, not like C.
A while ago someone said here that "buffer overflow exploits are the low-hanging fruit of hackers, once they are gone there is plenty of other stuff." And that person was right.
"First they came for the slanderers and i said nothing."
Half of audited JavaScript projects *don't* contain a vulnerability. Seems like a win.
It must have been something you assimilated. . . .
Ray Morris pushed the nazi white supremacist lie shamelessly, the faggot has zero honor or intellectual integrity - https://tech.slashdot.org/comments.pl?sid=12520486&cid=57184660
So they will send my plain text or unsalted & hashed password over the TLS-wire to the "trusted" pwned DB for a match?
No thanks!
I lick up nun farts.
My experience is that large corporations want security and compliance. What they don't want to do is actually change anything to achieve it, especially if that changing happens on anything other than their schedule. Updating dependencies to fix security issues means having to revalidate and recertify the entire software stack, after all, and they want to avoid that at all costs. They'll only grudgingly do it when some outside agency credibly threatens them with fines and penalties that exceed the cost of the recertification. This is particularly silly since if you keep up with updates regularly it's a relatively painless process that usually doesn't break anything and if it does you've got plenty of time to fix it on your schedule. It only becomes an issue when you've avoided updates for so long that your versions of the dependencies are obsolete/unsupported and the current versions have major API redesigns or have been completely replaced by something with a different API. That's when it gets painful.
This is what happens when maintenance is considered a cost center rather than a necessary aspect of earning revenue. It's like considering janitorial services to be a cost center: pretty quick your business gets filthy and nobody wants to come in the door.
APK is still around, but why do you seem to like him so much? He's a spammer, a bigot, and is incredibly hateful toward others. I just don't understand why you'd want either the fake APK or the real APK around.
All of this is extremely true, and he's been incredibly hateful toward me for many years, but something about triggering his ire reminds me that I'm still alive!!
Successfully winding up a troll like apk is more satisfying than it should be. I don't know why, but there you have it.
This tagline was transcoded to result in at least one smirk. If you experience failure to smirk, please consult your Gen
Hey, things are looking up for JS!
JavaScript itself is a vulnerability. Why do I have domain blocking of CSS but not JS in browsers?
Ray Morris pushed the nazi white supremacist lie shamelessly, the faggot has zero honor or intellectual integrity - https://tech.slashdot.org/comments.pl?sid=12520486&cid=57184660
Impersonating me? Get a life already, freak.
APK
P.S.=> Unbelievable anyone wastes their life & time the way you do impersonating me & for what? Does it STOP me from posting?? No... apk
Impersonating me? Get a life already, freak!
APK
P.S.=> Unbelievable anyone wastes their life & time the way you do impersonating me & for what? Does it STOP me from posting?? No... apk
Impersonating me? Get a life already, freak.
APK
P.S.=> Unbelievable anyone wastes their life & time the way you do impersonating me & for what?? Does it STOP me from posting??? No... apk
This is one of main reasons why I have NoScript installed on all my browsers, and if a browser isn't supported by NoScript I don't use that browser.
Khazar Talmudic Jews believe this of all they call goyim/gentiles (any non-jew): Jews = biggest racists of all (for which they "jew guilt" you for no less! They're hypocrites known as thieves all thru history or were Argentines in the 1940 under Peron, Spanish inquistion, France (1306), Egypt (despoiled/robbed by jews), Arabs (pre & post 1948), England (1330 Edward longshanks), Romans under titus, Russia pogroms and Germany who got rid of them from their nations nazi german's too? No. Driven into DESERTS ages ago! Don't wonder why after all those exilings above.
Should anyone doubt any of this see Jacob Javits' crony Rosenthal spill the beans on it https://www.youtube.com/watch?v=D4zMVZ8HnFI/ where he called all Christianity fools for helping Israel and the biggest scam of all time per their beliefs below from their Talmud.
This is the province of the synagogue of Satan (Pharisees whom Jesus Christ himself kicked to the curb out of the temple & they killed him for it. Jeremiah did the same to them also + the Essenes could not stand them either breaking away from the pharisee corruption):
Mark Zuckerberg stole the Winklevoss twins' code for Fakebook (figures as he is a thieving low jew too).
Maria Abramovic satanist spirit cooker pal of Hillary Clinton the Voodoo queen is a jew https://www.google.com/search?...
Like Hillary Clinton's mentor Saul Alinsky author of rules for radicals book dedicated to Lucifer
"Most Jews do not like to admit it, but our god is Lucifer Â- so I wasnÂ't lying Â- and we are his chosen people. Lucifer is very much aliveÂ" Harold Rosenthal http://www.thetruthseeker.co.u...
Jewish rabbi openly admits to satan worship use white children's blood they kill for passover bread, infiltrating and subverting the catholic church, creating the Jesuit order https://www.youtube.com/watch?... and https://www.youtube.com/watch?...
Barbara Spectre, a jew, tells everyone it's jews orchestrating the muslim migrant problem in Europe https://www.youtube.com/watch?v=MFE0qAiofMQ/ . No migrant raping of women in Poland. Tons in Sweden. Do the math. Use common-sense. This is to get muslims and other goyim/gentiles to wipe one another out as incompatible cultures that will clash and always have.
Rabbi A. Finkelstein ADMITS their greatest enemies are ARABS and WHITES (blacks too) whom they wish to kill one another in a 'theater of war' which they find AMUSING https://www.youtube.com/watch?...
Finkelstein also admits JEWS DID 9/11 (perpetrated by the Mossad & Bebe Netanyahu of ISRAEL) https://www.youtube.com/watch?... profiting by it (and that 3,000 jews employed there did not show up for work that day knowing about it beforehand).
Finkelstein also admits JEWS are going to destroy the U.S. Dollar and dumping it for other world currencies and gold to destroy the United States.
George Soros who funds groups to create division in the USA?? A jew. One who sold his own jew people into death for the nazis.
Zucker now FIRED @ CNN is another frying publicly for lying about "russians" and John Bonifield a producer @ CNN said it is bs. Van Jones did also.
Bernie Madoff (who made off with everyone's money, especially construction union pensions) shows the thieving nature of the JUDEN!
Eric Schmidt had to step down @ JEWgle (a jew).
Adam Schiff (gosh s