←back to thread

Deno 2.4

(deno.com)
133 points hackandthink | 3 comments | 07 Jul 25 08:44 UTC | HN request time: 0.601s | source
Show context
eranation ◴[07 Jul 25 10:20 UTC] No.44488684[source]
I believe the reason Deno is not more widely used in production environments is the lack of a standardized vulnerability database (other than using 100% npm compatibility which will take many popular deno packages out of scope). The issue is that there is no real centralized package manager (by design) which makes it challenging. Was there any development in that direction?
replies(2): >>44489094 #>>44492946 #
1. simantel ◴[07 Jul 25 17:54 UTC] No.44492946[source]
Wouldn't this also be a problem for Go, which just imports from URLs (mostly GitHub) as well?
replies(2): >>44493185 #>>44494857 #
2. ◴[07 Jul 25 18:17 UTC] No.44493185[source]
3. jitl ◴[07 Jul 25 21:30 UTC] No.44494857[source]
The go imports use a Google-owned proxy for resolution which has a vulnerability facility. All golang package installs use the Google-owned proxy unless you set GOPROXY=direct when running go commands.

https://arc.net/l/quote/arrozgok