- Notifications
You must be signed in to change notification settings - Fork94
Add @euberdeveloper/eslint-plugin#537
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.
Already on GitHub?Sign in to your account
base:master
Are you sure you want to change the base?
Uh oh!
There was an error while loading.Please reload this page.
Conversation
mileslane left a comment
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
We should not use dependencies that have a small user and developer base. It is extremely risky, as there are many bad actors who are using such packages to install malware. I see no reason to merge a package whose primary function, at the best, would be to simply add a bundle of other dependencies.
Yes but this way I can not use your service with my code. I guess that this is a problem of other people, too |
mileslane commentedFeb 4, 2022
Yes, that's true. I would be more concerned for your risk exposure. I opened a similar issue for several Babel plugins. I personally avoid using NPM packages with few users and developers. I don't want any obscure, poorly supported plugins in my code. Adding the plugin to the codeclimate-eslint package.json does not increase anyone's risk. |
In this case (to me) it's not obscure since it is written by me... I find it as a very comfortable way to add my customized eslint configuration to all my projects and I prefer renouncing using code climate than renouncing to those configurations |
In any case small user base means only more potential damage, not that it is a bigger risk... Look what happened with colour.js and faker.js |
No description provided.