Less is safer: how Obsidian reduces the risk of supply chain attacks
9 hours ago
- #security
- #supply-chain
- #open-source
- Obsidian minimizes supply chain attack risks by reducing third-party code dependencies.
- Features like Bases and Canvas are built from scratch to maintain full control.
- Small utility functions are re-implemented; medium modules are forked if licenses allow.
- Large libraries (e.g., pdf.js) are included as known-good, version-locked files, upgraded cautiously.
- Only essential packages (e.g., Electron, CodeMirror) are shipped in the app; build tools (e.g., esbuild) are excluded.
- Dependencies are strictly version-pinned with lockfiles for deterministic builds and audit trails.
- Postinstall scripts are disabled to prevent arbitrary code execution during installation.
- Dependency updates involve thorough reviews, changelog checks, sub-dependency audits, and extensive testing.
- Upgrades are slow and deliberate, with a delay before release to detect malicious versions early.
- Combined measures (few dependencies, version pinning, no postinstall, slow upgrades) reduce supply chain risks.