Hacker News new | past | comments | ask | show | jobs | submit login

Just saying they didn't do nothing. Maybe they didn't do as well as they could have, but they did do something.



Calling it resolved is worse than doing nothing. If they had done nothing, at least people would know that "If I run npm install now, that's bad". Now they've claimed it is resolved, which tells their users "It's okay to start installing things again" when it isn't safe until an audit has been completed.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: