[worble]

> when it doesn't pwn you.

That's a pretty big asterisk though. Taking on a supply chain risk in exchange for reducing developer friction is not worth it in a lot of situations. Every dependency you take increases your risk of getting pwned (especially when it pulls in it's own dependencies), and you seriously need to consider whether it's worth that when you install it.

Don't get me wrong, sometimes it is; I'm certainly not going to create my own web framework from scratch, but a web request helper? Maybe not so much.

[zarzavat]

What the axios attack shows is that even if you stick to sensible, popular packages you can still get pwned if you are not following best practices: set a min age, don't npm install except from a lock file, preferably work in a VM, etc.

Yesterday it's axios, tomorrow it could be react, vite, or typescript. Sticking to only "required" packages won't save you, you have to fix the problem at the root by improving your own security practices. Make the attack impossible, not just unlikely.