- EXTREME SAMPLE CONVERTER 3.6.0 FULL VERSION MEGA INSTALL
- EXTREME SAMPLE CONVERTER 3.6.0 FULL VERSION MEGA UPDATE
Pinning versions means that you will keep using an insecure version of a dependency until you update, whereas using a semver compatible version allows you to “automatically” pick up a fixed and compatible version.
EXTREME SAMPLE CONVERTER 3.6.0 FULL VERSION MEGA INSTALL
I agree that it’s ultimately the developers fault for allowing code to be automatically injected from not fully trusted sources on minor updates, but the package manager makes it way too easy to do.įor example, when I npm install a package, it defaults to specifying a semver compatible version in package.json, rather than doing the secure thing and pinning a version.īut whether this default behaviour should change is not is also a security tradeoff. Now faker (don't know colors) is non trivial: question is, what makes this to happen here and not in, say, nuget popular packages? Is it still/again the community or something else. But those are a sane community no one used leftpad and such, so the tree of source to audit is not so large, not counting MS, but then again, you are not auditing nodejs are you? Npm is worse than gems, nuget, whatever php has etc simply because the community is pretty broken in as much that everything has to be a package and, even though you can type the functionality faster than you can search for it (yeah yeah whine tests whine docs: for leftpad, nobody cares about those things it's trivial functionality), people use those.
Package management is great it works well with NuGet for instance. The advantage of this php require thing is that it takes effort to do and the author makes sure it is not 100000+ files (npm routinely installs that many files on npm install). This color thing shows many people will just install whatever without checking: manually or automatically. The npm stories show that most people do this with npm though. > The person who unthinkingly installs a package will also unthinkingly include your script using 'require' Both methods result in your code being run by 3rd parties. There's no reason why this should be the case. The point you made was that you would feel more responsibility for a package rather than a PHP file. If people are using my code, I will feel responsible to some extent. > Honestly, this is a personal thing for me. The only thing that happens is anyone who is interested in auditing your code and uses composer is inconvenienced with busywork, that would otherwise be handled by composer, e.g. The person who unthinkingly installs a package will also unthinkingly include your script using 'require'. Which increases the likelihood of any possible bugs in the code getting caught. > IMO, the advantage of my method is that (at least a few) more people will test/audit my code as opposed to if it was available as a package. They should dive in and inspect it before using it (it is always written with this in mind - with extensive commenting and documentation). I don't want people to see my code that way. > Packages are often seen as a one-step plug-and-play solution. In this case, the old-fashioned way is the better way, and you'll have a hard time convincing me otherwise. Stop using packages that are essentially wrappers around three-line Stack Overflow answers. Including code written by strangers that you haven't inspected and that they can remotely modify is.
IMO, re-inventing the wheel sometimes is not the worst thing. php files, 'require' them and test them before deployment, but never will I do packages.
EXTREME SAMPLE CONVERTER 3.6.0 FULL VERSION MEGA UPDATE
I have a mailing list for people who use my code, when an update is out they can download the. I don't want that level of control over other people's projects, it's scary as fuck. I write backends (mostly in PHP, although not exclusively), and I release a lot of my code under libre licenses. This is not the first time it's happened, and it's not going to be the last. At the very least, it takes them under a minute to break your app, simply by deleting their package. Packages are literally remote code exec vulns in the hands of package authors.
0 kommentar(er)
