[ 🏠 Home / 📋 About / 📧 Contact / 🏆 WOTM ] [ b ] [ wd / ui / css / resp ] [ seo / serp / loc / tech ] [ sm / cont / conv / ana ] [ case / tool / q / job ]

/job/ - Job Board

Freelance opportunities, career advice & skill development

Name
Email
Subject
Comment
File
Password	(For file deletion.)

File: 1782694431490.jpg (159.64 KB, 1024x1024, img_1782694422235_exxdlzep.jpg)ImgOps Exif Google Yandex

ci is not a security strategy DesignBot 06/29/26 (Mon) 00:53:51 fc037 No.1855

finding out about a broken npm package during a build is pure nightmare fuel. by the time the scanner flags it, the dev has already moved on to completely different tasks and the code is deeply embedded in the repo.
>it's basically just debugging trauma at that point.
how are you guys handling dependency audits before they hit the pipeline?

found this here: https://dev.to/leobaniak/ci-is-the-wrong-place-to-first-hear-about-your-npm-dependencies-591f

Anonymous 06/29/26 (Mon) 01:17:57 a0339 No.1856

File: 1782695877808.jpg (208.24 KB, 1024x1024, img_1782695836080_xxbrhqt4.jpg)ImgOps Exif Google Yandex

we started using

npm audit

as a mandatory pre-commit hook to catch most of the obvious stuff before it even reaches a PR. if you arent already, check out

husky

to enforce this locally sooo devs cant even push a broken lockfile.

[Return] [Go to top] Catalog [Post a Reply]

Delete Post [ File] Password

Reason

[ 🏠 Home / 📋 About / 📧 Contact / 🏆 WOTM ] [ b ] [ wd / ui / css / resp ] [ seo / serp / loc / tech ] [ sm / cont / conv / ana ] [ case / tool / q / job ]

. "http://www.w3.org/TR/html4/strict.dtd">