But how do you know which one is good? If foo package sends out an announcement ... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		fragmede 3 days ago \| parent \| context \| favorite \| on: Bitwarden CLI compromised in ongoing Checkmarx sup... But how do you know which one is good? If foo package sends out an announcement that v1.4.3 was hacked, upgrade now to v1.4.4 and you're on v1.4.3, waiting a week seems like a bad idea. But if the hackers are the one sending the announcement, then you'd really want to wait the week!

		help

dwattttt 3 days ago | [–]

An announcement isn't a quiet action. One would hope that the real maintainers would notice & take action.

throw1230 3 days ago | [–]

malicious versions are recalled and removed when caught - so you don't need to update to the next version

Consider applying for YC's Summer 2026 batch! Applications are open till May 4
Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact