[lrvick]

Here is the entire guide you need to protect yourself from supply chain attacks as a software engineer.

Pick whichever of these will consume the fewest resources over time:

1. review an existing library and all dependencies, and all security updates to them forever (or ensure someone capable does or did)

2. implement the minimal functions you require on top of the language standard library yourself

Yes, this is serious advice, and I have followed it while shipping web applications to millions of people at multiple companies, as a consultant for many more companies, and as a founder and security engineer.

[sho]

Advice that you know, or should know, won't and indeed can't be followed isn't serious advice, it's just posturing. "Security engineer" or not, if you stood up in that kick-off meeting and with a straight face proposed that the team spend the first 3 months reviewing React before starting work - you're out, and rightly so.

Security and convenience are always in tension, but there is usually a productive, "sweet spot" middle ground. Your "solution" is way off to one side of that sweet spot. The status quo is probably a little too far off in the other direction. But a happy medium can be found where most teams are fine, most of the time, while retaining the ability to take advantage from the open source ecosystem.

[fergie]

Whilst I basically agree with the general point you are making, I wonder if the time has in fact arrived when a greenfield project should choose Web Components over React?

[eastbound]

Your suggestion is that I should reimplement React from scratch to avoid supply chain attacks. Like an American fab should extract ore locally to prevent shortages.

[minitech]

If you ignore the other half of the suggestion, yeah. Designating trusted reviewers to audit dependencies like React would be downright cheap at scale. The issue is just setting up and popularizing the systems to achieve this. It’s a little harder than it should be because lots of companies don’t take software security seriously enough.

(And hey, if anyone is looking for people to do this kind of work for their node_modules at very low cost, I’m available right now! `unfrosted_handsaw${107 * 2}@simplelogin.com`)