25Kas
How serious are npm module vulnerabilities?
Obviously any known vulnerabilities are not great, but I'm curious how much I should be concerned about them.
I've seen plenty of articles that talk about the rise in malware/spam in npm packages:
- NPM malware attack goes unnoticed for a year
- Malicious NPM packages are part of a malware “barrage” hitting repositories
- Worried about occasional npm malware scares? It's more common than you may think
But nonetheless it seems like so many projects where you run npm install you get greeted with a slew of medium to critical vulnerabilities reported by npm audit. What gives?
These articles make me feel like running npm/gulp on my device is a horrible idea, but yet it seems that man projects just don't address the vulnerabilities in their dependencies to avoid breakage.