[quantummkv]

Parcel, webpack and others are build tools very similar to compilers. They take code, process all of it and spit something out, something that would be distributed to the end users.

Now here is a very old and fascinating story - https://www.quora.com/What-is-a-coders-worst-nightmare/answe... and it's base, the seminal Ken Thompson Hack - https://wiki.c2.com/?TheKenThompsonHack

Sounds dangerous? It should. It is very easy to inject code in a small unknown dependency out of those thousands and effectively recreate the Ken Thompson hack.

[TheRealPomax]

Sure, but let's also take the code hosting situation into account: npm now comes with security audits during install, and github now comes with free dependency vulnerability monitoring. While "fewer deps means fewer vectors" is true, the security landscape has changed an unusual amount, and for the better, since that article was written.

[quantummkv]

> npm now comes with security audits during install, and github now comes with free dependency vulnerability monitoring

Ultimately, these are solutions to problems that should not exist in the first place.

[miki123211]

This one is even better (scifi, but possible to execute by humans).

https://www.teamten.com/lawrence/writings/coding-machines/