I just don't see how anyone could realistically look at all the lines of code that any nontrivial JavaScript app relies on in any depth.
I'm sure most people don't review the code for their operating system, drivers, web server, compiler, browser etc. but they do assess if the entities that write + support them are worth trusting. This is likely the only realistic approach for complex JavaScript apps also.
> > I just don't see how anyone could realistically look at all the lines of code that any nontrivial JavaScript app relies on in any depth.
> Right. And that's really bad.
> > I'm sure most people don't review the code for their operating system, drivers, web server, compiler, browser etc.
> Right, but some people do. Hire one of them.
The interesting question isn't if you can do it, it's when should you, to what extent, and how much it will cost.
"Always do it, do it in-depth, the time consumed isn't important and the budget isn't important" is a bad approach for example and isn't helpful to the OP.
Successful software development is all about making appropriate tradeoffs - you're not going to get very far by conducting your own OpenSSL audit when all you want to do is write a todo web app.
Hey I'm just answering the question, yeah? We do it. It's not that hard. You pay the overhead upfront and have fewer surprises. Read the "Hollywood Secrets" book, it makes a lot of IMO good points.
I once helped a guy build a go-cart out of an old lawn mower engine and a bed frame. It was a lot of fun. We didn't do any research, we just made it.
If I'm provisioning a commercial fleet (for a delivery service or something) I'm going to do my homework to make sure the cars we deploy are low-maintenance, high-mileage, with a good safety record, etc.
I'm sure most people don't review the code for their operating system, drivers, web server, compiler, browser etc. but they do assess if the entities that write + support them are worth trusting. This is likely the only realistic approach for complex JavaScript apps also.