[ransackdev]

How’s your vulnerability reporting process and how much experience do you have interpreting complicated pen tester bug reports about some buffer overflow zero day in your homebrew query string parser?

Huge difference between working fine, and working right. The security implications of rolling your own, is why I say “you don’t want to…”

Also, none of that code has anything to do with the product you’re actually trying to build. Imo it’s additional maintaining, tech debt, attack surface, and it’s a solved problem by a large community and has more knowledge from the security community baked in, and more eyes finding and plugging holes.

[pragmar]

In the aughts, when everyone was rolling their own framework, security and maintenance were a nightmare. It's undeniable. We traded one problem for another, however, and we've gone too far. I think the question at hand is which is more secure/maintainable: 10kb of custom utilities or 100mb of mystery-meat modules that, let's face it, will never be reviewed. It's not a simple answer.

[ransackdev]

Smaller file sizes or less LOC is not inherently safer than larger sizes or more LOC. if you’re building web apps, you’re more than likely reaching for a handful of packages, and so are millions of other people, and so are multi billion dollar companies, companies with staff who’s job it is to do supply chain security, PCI compliance auditing, security assessments, who hire pen testing firms, and some even write browsers and can sway the direction of our entire industry and the internet as a whole. Countless static code analysis is ran on the millions of CI jobs a day on builds that pull in the package, etc. If you’re using popular and maintained open source packages, people are looking at them. Shy away from no name packages with no usage unless you personally look at the code. That’s my take on it. I tend to trust the open source community to all be working towards the shared goal of well crafted and secure code for the world to use and benefit from