npm audit: Broken by Design

Dan talking about why npm audit is broken. I’ve been there: you run a fresh, up-to-date install of create-react-app and on install npm tells you your app is already vulnerable.

While an interesting read, what I really liked were these two phrases:

The best time to fix it was before rolling it out…The next best time to fix it is now.

I like that. Applies to my designs and my code.

And then this:

in theory there is no difference between theory and practice. But in practice there is.