Here's a classic throwback to keep us on our toes :) Any one of those JavaScript projects could do something nefarious deep under the hood, and this to me seems to expose a huge surface area for attackers. The depgraph of reactjs is far simpler and easier for me to understand and therefore feel trust:ĭoes anyone know if there has been reliable research towards the security of the entire RN dependency tree? Seeing a stray dep there that has 1 maintainer on npm/GitHub who has been inactive for over a year makes me nervous. However, as one friend pointed out, a lot of those deps are indeed for build time only, which have different risk profiles. This approach is not without its own downsides, such as dark patterns in a compromised UI. Perhaps there's some kind of middle ground where we can create a tight microkernel-like thing natively using secure enclaves and key managers, but expose an API to the "untrusted" parts of the program. For this reason, I've been trying out Flutter or even considering to go back to native apps. React Native scares me with its dependency webs:įrom my experience, it's really great to work with and definitely saves a ton of work, but the depgraph above fills me with doubt for use in sensitive applications such as in finance or healthcare.
0 kommentar(er)
