Unpinned dependencies are security holes: https://github.com/dominictarr/event-stream/issues/116 … Failing to use Nix, GUIX, a monorepo, your own private package mirror, or some other hermetic code source, is software malpractice. But after you make sure it's auditable, you still need to audit the code too.
Most people don't have the time or ability to thoroughly review all of their (nested!) dependencies. Ideally it could be outsourced; I would love a service where you could see that N auditors had signed off on package X @ commit Y.
-
-
Indeed, there should be a market for public code audits. Code complexity with extraneous dependencies, and use of large untrusted ecosystems should also be understood as bad hygiene.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.