[jaabe]

It’s fine from a development perspective where the job is to make something work.

It’s horrifying from an operations perspective where the job is to make sure everything works.

Developers can afford to ignore looking into dependencies, operations need to make sure every dependency is functional and safe.

If you write a piece of C# using the standard .Net library you can be fairly sure it’s safe and sound. If you write something using 2000 JS packages, you have to read through every one of them to be sure.

[ownagefool]

I disagree that it's the job of a random ops person to ensure that a developers dependencies are sane.

Putting the onus on the developer to do a good job with regards to secure development practices is an essential part of a wider system.

[jaabe]

Oh I agree with that completely, but it’s very easy for developers to get away with shitty practices in a lot of shops.

[__oh_es]

Agree with you but this goes the other way too - Ops not allowing security patching or upgrading of systems because "they work".