search

paulmillr / noble-hashes

Audited & minimal JS implementation of hash functions, MACs and KDFs.
https://paulmillr.com/noble
MIT License
573 stars 46 forks source link

commit package-lock.json #32

Closed dawsbot closed 2 years ago

dawsbot commented 2 years ago

Upon forking the repo, I noticed there is no package-lock.json.

All recent versions of npm generate this file and it's imperative for deterministic installs. A security recommendation for all JS projects is to include a package-lock.json [Source from OWASP ]

Closes #31

paulmillr commented 2 years ago

Not really — that's on purpose. I'm getting tired of all the dependency vulnerability warnings which are bullshit.

Version ranges specified in package.json are good, tight enough.

dawsbot commented 2 years ago

I was not aware that the library is entirely dependency free. 0 Dependencies. Ignore my thoughts: unless one day a dependency is added 🙏

~If you're tired of vulnerability warnings, you should turn of dependabot vulnerability warnings.~

~It's unsafe to avoid the lockfile altogether. Your audits should include certain dependency versions as well so that folks can understand if the audited version number contains the exact same deps as what they are installing.~

paulmillr commented 2 years ago

Yeah, they spam "vulnerability" for all devDependencies which are very annoying, since 99% of the time it's a nothingburger.