In my previous company, we "simply" used fixed versions for our dependencies. An... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		umpalumpaaa 62 days ago \| parent \| context \| favorite \| on: Package managers need to cool down In my previous company, we "simply" used fixed versions for our dependencies. And we had our own NPM registry that only had already approved packages for specific version. Approval required a security review by someone from the Security team… At first I was super annoyed by this. But I started to like this approach. It also reduced surprises while developing in a team… "it works on my machine" was rare since everyone was using the exact same versions. And moving to a newer version was done on a regular basis but it was an intentional thing we did.

zaphirplane 61 days ago [–]

How did the security team conduct a security review of a non trivial package

vrighter 61 days ago | [–]

they run it throuh a tool that checks online whether any cves relate to that version. They don't care whether you actually hit the vuln, if there's a cve it's "bad". That's usually the level i see.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact