> If your app is made up of more packages and dependencies than you can audit then you're doing it wrong.
My current employer has a policy where every dependency needs to be part of the software BOM (except it's FAR more comprehensive than what passes as an SBOM in the industry, it's an excel sheet that goes into the double-letter columns, including, among many other things, a rationale for why you're using $thing) and signed off by legal (a process taking some time). It's kinda irritating to do, but it also opened my eyes how completely unauditable e.g. npm-based projects are. Not that I had a high opinion of npm before. The other day we had a thread here with a similar topic and someone said "No one knows how to do builds without the internet", someone else chimed in saying that Flutter (or some other framework) actually can't do offline builds; pip is actually somewhat similar, as PEP517 causes it to try and run for PyPI even when installing packages purely from a local source; this can be easily disabled though.
Those things are utter insanity to me. You have no control. You have no idea what code you're running now, let alone tomorrow. Your builds will never reproduce, and your CI is going to fail whenever some random cloud webshit goes down.
Same for VSCode btw. ... it's not even shared source.
I totally agree. I am bewildered by the large number of developers working in such blind, insecure environments. Entire tech sectors that grind to a halt when github does down. It is insanity.
We all talk about unit test coverage, end-to-end testing, hiring the right people (leetcode hell treadmill) all while we slide absolute crap in through the backdoor. It's Kafkaesque.
My current employer has a policy where every dependency needs to be part of the software BOM (except it's FAR more comprehensive than what passes as an SBOM in the industry, it's an excel sheet that goes into the double-letter columns, including, among many other things, a rationale for why you're using $thing) and signed off by legal (a process taking some time). It's kinda irritating to do, but it also opened my eyes how completely unauditable e.g. npm-based projects are. Not that I had a high opinion of npm before. The other day we had a thread here with a similar topic and someone said "No one knows how to do builds without the internet", someone else chimed in saying that Flutter (or some other framework) actually can't do offline builds; pip is actually somewhat similar, as PEP517 causes it to try and run for PyPI even when installing packages purely from a local source; this can be easily disabled though.
Those things are utter insanity to me. You have no control. You have no idea what code you're running now, let alone tomorrow. Your builds will never reproduce, and your CI is going to fail whenever some random cloud webshit goes down.
Same for VSCode btw. ... it's not even shared source.