Dependencies and supply chain risk
Recently Mitchell Hashimoto posted on X the below text, which I find very interesting and correct, but I also remember how harsh the comments were for sudo-rs and it's no dependencies policy.
Anyways, I am posting it here as food for thought.
> Fork your dependencies, trim them to only your use case, never update unless it breaks for your users. I’ve been vocal about this for 10+ years. I’ve always said that updating is way riskier than latent bugs (which can be tracked and CVEs monitored).
> If you are updating a dependency, it’s on you to analyze every single commit in the full transitive set of dependencies. If you dont see anything compelling, dont update!
> I remember at HashiCorp once in awhile an engineer would try to update a dep or replace a DIY lib with an external one and id always ask “show me the commit we need.” Dont update for the sake of it.
> Feeling pretty swell about this mentality with all the supply chain attacks happening.