debug icon indicating copy to clipboard operation
debug copied to clipboard

Published 20 hours ago verified publisher icon debug-js

Thoughts on locking version of "ms" dependency?

Open dougwilson opened this issue 6 years ago • 6 comments

Hello 👋 I wanted to open this issue to get a gauge on the single dependency the module has.

Currently this module as a dependency on ms with the semver range set to ^2.1.1.

This in itself is not bad. I know bumping dependency versions is annoying, as well.

I just wanted to check on if there would be strong disinterest in setting it to, like 2.1.1. The reason I'm even bothering to ask is because I love this module, and love using it. When I look at the modules in use, I look at the list of users who can affect the final install. When another package (package_a) takes a dependency on debug, even if it pins the version of debug it depends on (thus none of the debug publishers can affect package_a), all the current and future publishers of ms can still alter the final install of package_a, which means users of package_a must trust the author(s) of ms.

The ms module does not seem to change regularly, so that why I'm even bothering to propose this to get a gauge on the opinions here.

If it's agreeable, I can make a pull request with the change, even. I'd love to see it backported to the 3.x series (as it seems there have been backports according to npm info debug time), but if 3.x is dead now, then even just 4.x is cool.

Let me know what you think, and if you're "no" you won't hurt my feelings :)

dougwilson avatar Feb 22 '19 07:02 dougwilson

The author of ms is @rauchg, whom I trust very, very much, but thank you for the concern - I see this as a non-issue in this particular case.

Qix- avatar Feb 22 '19 11:02 Qix-

I know this is old, but just wanted to follow up here to note that as of today, there are 57 npm users who can publish a new version of the ms package, which feels excessive, but that is just an opinion:

$ npm owner ls ms | wc -l
      57

dougwilson avatar Mar 26 '20 17:03 dougwilson

@rauchg can you weigh in on this? 57 people with access does seem excessive. We've already seen cases of targeted attacks in the form of npm account takeovers and malicious publishes.

All-in-all, I've changed my stance on pinning anyway. Re-opening - someone is welcome to pin the current version and submit a PR.

Qix- avatar Mar 26 '20 17:03 Qix-

Landed ultimately in db306db99e7822d355724698990d335927563210.

Qix- avatar Mar 27 '20 19:03 Qix-

2.6.8

RabiaSaid avatar Jun 21 '22 12:06 RabiaSaid

4.3.4

RabiaSaid avatar Jun 21 '22 12:06 RabiaSaid