[gernb]

you will not solve the dependency problem with permissions. You will only solve it by reducing dependencies and reviewing code before you updated dependencies

adding permissions will do nothing except add ridiculous overhead and complexity such that to get anything done devs will just give all permissions

[danenania]

Reducing dependencies is generally good (though often at odds with productivity), but I doubt we'll solve it through just reviewing code. Even with a small number of dependencies, the full tree can be absolutely enormous, and there are many ways to obfuscate attacks. It's a severe needle-in-a-haystack problem.

I don't see why permissions have to add "ridiculous overhead and complexity". Most dependencies need very limited (if any) system or network access. Locking those down would be a huge win, and it makes reviewing updates in large dependency trees realistic since you can zero in on permission changes.