[EGreg]

I have been writing for years that package managers are a big security risk, and if you’re writing a platform that’s going to be used everywhere, you should import code by hand and verify what has changed. Or just write it yourself. Yes, seriously. Learn what your code base does. If your library is used N times then every hour you spend saves N people-hours.

It’s just like using Slack: you think you’re saving time because of the immediacy, but wind up paying the price down the line because 1 person can save N people time with threaded asynchronous stuff.

Others have said this as well: https://news.ycombinator.com/item?id=15272394

[indymike]

> I have been writing for years that package managers are a big security risk

Like all tools used by humans, package managers are used for great good, and terrible evil. The great good (from a security point of view) is that we can distribute new features and patches quickly and freely. The bad: we can distribute nefarious code just as easily.

> Or just write it yourself.

Writing code is how bugs are created. Often popular libraries are much more robust and secure than bespoke code. Sometimes they are not.

> Learn what your code base does.

Great advice.

[remram]

I plug this every time, but here goes: https://github.com/crev-dev/crev solves this by providing code reviews, scales via a web-of-trust model, and relies on cryptographic identities. That way, you can depend on a package without having to trust its maintainers and all future versions.

[ris]

> I have been writing for years that package managers are a big security risk

"Wild-west"-style package managers (more specifically, their repos) are a big security risk.

It's possible to have far more confidence in "maintained" packaging repositories.

[tonyedgecombe]

The general trend has been towards less confidence in 3rd party software and packages. I'm not sure that is going to reverse any time soon.