|
|
|
|
|
|
by parl_match
780 days ago
|
|
|
The whole reality is kind of rough, and it shouldn't be this way. Yes, but that is abstracted away easily as "someone else's problem". Mature organizations with SCA and policy around it will often do a library review that catches using less mature projects. This means that you get a bunch of small companies that can't/won't maintain or contribute back to the projects themselves, and few big companies using it who'd have the overhead to contribute back. In some cases, for popular and newer stuff, that means that when a vulnerability is found, you have hundreds of companies and projects downstream from the bad code. Meanwhile, the larger and more mature orgs flag it and deprecate or mitigate it (through various, expensive means like WAF/RASPs) And by then, it might even be completely unsupported, or worse, made breaking changes that strand many. Like a whalefall, it will feed hackers for a year. |
|
|