When the left-pad debacle happened, I feared that people would conclude “dependencies are bad”. (Instead of the logical conclusion, which is “don’t allow dependencies to be deleted from package registries.”) That prediction turned out to be true. :(
-
-
I think this topic keeps getting derailed to software engineering stuff when it's really about authentication & authorization mechanisms, trust assumptions, porous dev communities. A false (but felt) small-trusted-community belief that "nobody is corrupting the stream" presently.
-
Like of course mutable vs. immutable packaging is an issue, but it's minor. People are going to auto-accept minor-version updates to a dep anyway. The issue is people worry about growth in the set of providers of those updates, inability to know "who all the authors are".
- 24 more replies
New conversation -
-
-
I come from the Python world which has significantly fewer dependencies do to the restrictions of the import system. There the total number of involved actors is much smaller and easier to audit.
-
As an example every sentry dependency in Python is signed off now. Nobody is allowed to add a new one without sign-off.
- 9 more replies
New conversation -
-
-
I am *way* more worried about the Windows kernel from a security perspective than I am about left-pad.
-
This Tweet is unavailable.
- 3 more replies
New conversation -
-
-
NPM and http://crates.io make it easy to use something of unknown quality and to publish something of unknown quality. Once you start caring about quality then their bias towards "just get something working" works against you. Typical security vs. usability trade-off.
-
But all sharing makes that possible, since ever. Tons of the security problems in PHP applications used to stem from copy-and-pasting from the internet. Having that wrapped as libraries under a name makes analysis and updating much easier.
- 2 more replies
New conversation -
-
-
We only upgrade dependencies when a security issue affects our code. For that we use software like snyk.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
there's attack surface due to volume of code (e.g. OS libraries), and attack surface due to number of SPoFs (e.g. small libraries by random authors, where any one of them could be compromised by incompetence or malice)
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.