Every dependency you add is a supply chain attack waiting to happen
6 days ago
- #supply-chain-security
- #software-development
- #dependencies
- Fewer dependencies make programs safer by reducing supply chain attack risks.
- Third-party libraries, including dev dependencies, can be compromised, as seen in incidents like XZ backdoor, Trivy, and LiteLLM.
- Automatic updates via tools like Dependabot can introduce problems; it's safer to disable them and update dependencies manually only when needed.
- Evaluate new dependencies carefully and consider copying small amounts of code instead of adding dependencies, as advised by a Go proverb.