Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Problem is, reacting to these alerts is a full time job. And when you’re faced with endless false positives you stop paying attention and eventually disable it.


Shouldn't there be a Node package where someone's opinion of what is a false positive gets automatically applied.


Then, if you build a successful product, you get:

* ransomware

* free PR from haveibeenpwned (but not the kind you want)

* a burning desire to put my (or one of my AppSec/IR peers) kids through college.

That said, YMMV.


I think we all agree with this. However, the semantics boil down to, if you use n:

- with no advisory database/dependency scanning, you'll eventually suffer this parade of horribles

- with an advisory database / dependency scanning which results in tons of false positives, you will also suffer from the same parade of horribles.

A scanning system with relatively few false positives could change the result. But very very few groups can afford to follow up on all of these . And those which can tend to take ownership of their own dependencies, perhaps privately forking them (as Google did with Linux)

Maybe dependency advisor will eventually grow into the role we want them to fill and become far more useful. It's probably better than nothing in its current form, but it's hard to say how much better than nothing.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: