[#]Golang has this concept of vulnerabilities where if your code doesn’t use the vulnerable code in the package it won’t mark your project as being vulnerable to it. The #javascript and #typescript ecosystems desperately need this. I know there are more challenges in JS world to doing this in practice though. But the amount of false positives makes vulnerability reporting for #typescript and #javascript useless to many.
=> More informations about this toot | More toots from renedudfield@fosstodon.org
text/geminiThis content has been proxied by September (3851b).