Hacker News new | ask | show | jobs
by debarshri 1115 days ago
I agree with you. We will actually start playing around with use hooks. One package that has multiple utilities maintained by one entity is great. When you have multiple dependencies from multiple entities in your code, the surface area for supply chain attack is larger.
1 comments
andix 1114 days ago
It's not just about supply chain attacks. It's also about convenience and practicality. After a few months or years there will be some major dependency version updates to do, and often there is some manual work associated with that. Maybe reading changelogs and documentation, or checking if the package is still maintained and looking for alternatives. Doing that for 5 packages is reasonable, doing it for 20 or 30 packages is a liability.
link
debarshri 1112 days ago
I agree with you
link