[vampiregrey]

I’m not sure I buy this framing.

I agree that reading every dependency isn’t realistic. But “not reading the code” as a principle feels risky.

In my experience, abstractions hold until they don’t. The first time you hit a production incident and the docs stop helping, reading the source stops being academic and starts being survival.

We once had a performance issue caused by a library making assumptions about concurrency that weren’t obvious from the API. The fix only became clear after stepping through the source.

I think the real skill isn’t avoiding reading code, it’s knowing when to escalate from trust to understanding.

For glue code or low stakes utilities, sure. For auth, billing, or core infra, I’d argue reading at least the critical paths pays dividends.