[Pxtl]

To play devil's advocate for a moment (although I hate it): LoC often actually means NIH... but NIH suddenly has a pretty big proponent in the form of resistance to supply-chain attacks.

Basically the choices are:

1. Roll your own

2. Lockfile your deps for too long

3. Chase the bleeding edge for every dependency

The first is security-through-obscurity because DIY libs will have bugs and vulns but they won't be well-known. The second means missing known vulnerabilities. The third means supply-chain risk.

The rash of attacks and the ease of LLM-powered roll-your-own has shifted the risk-reward calculus towards 1.

But I hate it. This is the further Peter Pan never-gonna-grow-up of our industry that we cannot develop solid best-practice tools and must churn endlessly.