| Cheers! > How do you verify a dependency? Do you literally examine the source code? Yeah. It's part of the overhead of using the software. You also look at the history of bugs and how they were handled. > It's pretty common for JS projects to have thousands of transitive dependencies Yeah, I know, and it's bonkers IMO. > The entire open-source ecosystem is built on the foundation of trust In practice, yes, but in theory, no. The whole idea is that you get to see the code you're running, because the guys who wrote it are clowns. Free Software started when RMS wanted to fix his printer and Xerox said, "No." > if I use a package that's being used by 500 other packages, I can have a high degree of certainty that the package is safe I think history has shown that that reasoning is at best probabilistic, eh? You're gambling. Now, of course, there are limits. Some things get a pass. Do we audit the source of the bash shell? No, despite the fact that it's maintained by a single volunteer. > Anyway maybe I'll look into the dependency portfolio, see how it goes. Check out that "Hollywood Secrects" book I mentioned. |