Update README.md #78
Update README.md #78
Conversation
|
I’ve checked a few of my packages with that site and am underwhelmed - false positives, and already-fixed vulns show up as somehow being worse than no vulns at all (when in fact that’s better). I think we’ll pass on this one. |
|
Thanks for the response. First of all I got to say I love your work and thank you for your contributions to open source! Would love to hear more about your experience with the site as I am one of the developers working on it. Could you be a bit more specific about what you didn't like? Your feedback would be much appreciated and I'm confident that we could fix any issue you encountered on our side pretty promptly. |
|
https://secure.software/npm/packages/qs has a "high" issue (that almost surely is a false positive) but there's no way to find out what the issue is or how I can fix it then there's a package like https://secure.software/npm/packages/aud which is archived and deprecated, so while there's no known CVEs, if one were discovered it probably wouldn't get fixed, so it definitely should not show up as green/safe/secure. in other words, it appears like this site is "punishing" packages that have ever had vulnerabilities, when in fact the proper security posture is to assume every single package in existence has vulnerabilities, they're just not all known yet - and evidence that maintainers respond to and resolve vulnerabilities means the package is secure, whereas no evidence whatsoever means its security is unknown. (also, in general, any reported problem should be clickable and take me to a more detailed explanation of the precise problem in this package, not a generic page describing the category of problem) |
|
Thank you for the great feedback. We will thoroughly analyze the feedback and I will get back to you :) |
Add security badge that highlights code security compliance and enhances project transparency. The badge automatically updates when a new version is published.
https://secure.software/npm/packages/minimist