|
|
|
|
|
|
by eatonphil
1474 days ago
|
|
|
> Good luck doing that in JS which has zero standard library on the browser. The article is saying something more like vendor your dependencies (and cut out the stuff you don't use within dependencies). > I prefer to not import tiny libraries but adopt the code into the codebase. Yep that's what the article is saying. |
|
|
Perhaps people imagine that if they vendor they'll review all the code they pull in, but I've never seen it happen in practice beyond "LGTM". It wouldn't have found the log4j vulnerability, and could overlook even intentionally malicious code if only the source looked innocent-enough at the first glance.