Unpinned dependencies are security holes: https://github.com/dominictarr/event-stream/issues/116 … Failing to use Nix, GUIX, a monorepo, your own private package mirror, or some other hermetic code source, is software malpractice. But after you make sure it's auditable, you still need to audit the code too.
-
-
Replying to @Ngnghm
Most people don't have the time or ability to thoroughly review all of their (nested!) dependencies. Ideally it could be outsourced; I would love a service where you could see that N auditors had signed off on package X @ commit Y.
1 reply 1 retweet 1 like
Replying to @lukechampine
Indeed, there should be a market for public code audits. Code complexity with extraneous dependencies, and use of large untrusted ecosystems should also be understood as bad hygiene.
0 replies
1 retweet
1 like
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.
Read my blog!