[dkdbejwi383]

If they have a HTTP API using standard authentication methods it's not that difficult to create a simple wrapper. Granted a bit more work if you want to do things like input/output validation too, but there's a trade-off between ownership there and avoiding these kinds of supply-chain attacks.

[jacquesm]

> Granted a bit more work if you want to do things like input/output validation too,

A bit? A proper input validator is a lot of work.

[dkdbejwi383]

If you aim for 100% coverage of the API you're integrating with, sure. But for most applications you're going to only be touching a small surface area, so you can validate paths you know you'll hit. Most of the time you probably don't need 100% parity, you need Just Enough for your use-case.

[jacquesm]

That's an excellent way to get bitten.

[dkdbejwi383]

I'm not sure how you mean.

To my understanding, there's less surface area for problems if I have a wrapper over the one or two endpoints some API provides, which I've written and maintain myself, over importing some library that wraps all 100 endpoints the API provides, but which is too large for me to fully audit.