undefined | Better HN

0 pointsaaomidi2y ago0 comments

This is why I prefer vendoring dependencies. I have to actually code review them.

0 comments

cxr2y ago

Whether you're storing your own copy of a given dependency and whether you've done code review for it are orthogonal concepts. (You can check it in and perform the same amount of review that people do when deferring to `npm install` for late fetching, i.e. none.)

Conflating these two not-unrelated-but-still-distinct concepts is a big contributor to why the current state of the art is so fraught.

mcny2y ago

I'd be called insane if I suggested it. I work with dotnet and I'd rather not add all the code in newtonsoft json and manually review each line. I mean where does it stop? Why not have everyone in the world code review asp.net and dot net libraries for every single website project at that rate?

sakjur2y ago

Rust’s Cargo vet offers an answer to that question.

You can import a list of audits from trusted auditors, which should cover all popular packages. Now you have to audit dependencies that aren’t well-known in the community, which really is the set of dependencies that you should take an extra look at. The big popular JSON libraries can be audited by either Microsoft or some of the other large projects that are using them.

You’d explicitly share your trust list in your audit file, and anything (updates or new packages) that isn’t trusted by you or one of your listed auditors is flagged for auditing.

https://mozilla.github.io/cargo-vet/index.html

j / k navigate · click thread line to collapse