The the main problem is the fact that this audit happens with no context, and th... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		riho on July 7, 2021 \| parent \| context \| favorite \| on: Npm Audit: broken by design? The the main problem is the fact that this audit happens with no context, and the audit results offer no information about the context an issue applies to either. Every issue should have a clear explanation about why and where it's an issue, and be tagged. Then we'd just need a way to hint npm what context a package will be used in, similarly to what we already do for devDependencies. Also going through an audit result in a CLI isn't really the best experience. I wish I could just click a link and open up the report in a browser to drill down into issues.

hsbauauvhabzb on July 7, 2021 [–]

No it’s not. The main problem is the dependency tree hell. If an ancestor version bumps, you should probably version bump too, irrespective of exploitability.

Don’t like it? Try using more maintainable dependency trees.

Consider applying for YC's Summer 2026 batch! Applications are open till May 4
Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact