One issue that is sort of addressed in this that I've been trying to find a solid answer on is how do you strongly ensure a given NPM package and its dependencies are safe to use?
So far the only real solution I've come up with is to do a signals review (github? issues? downloads/day/ etc...) and then review the code block by block carefully examining any complex or potentially dangerous code.
It works, and you learn a lot about the packages and why they depend on each other, but at the same time this process is exhausting.
What would be a godsend is some major security brand who can vouch (even at cost) for a given version of major packages including their dependency tree.
So far the only real solution I've come up with is to do a signals review (github? issues? downloads/day/ etc...) and then review the code block by block carefully examining any complex or potentially dangerous code.
It works, and you learn a lot about the packages and why they depend on each other, but at the same time this process is exhausting.
What would be a godsend is some major security brand who can vouch (even at cost) for a given version of major packages including their dependency tree.