The real problem is just the sheer number of dependencies we accept as normal now. Especially in the Node ecosystem, the culture is to install a package for literally everything.
You pull in one library and suddenly you have a dependency tree of 500 sub-packages. That is a massive attack surface. It feels like we have given up on actually vetting code because it is physically impossible to audit that much stuff. We are basically just crossing our fingers that the maintainers 4 levels deep are doing their job
You pull in one library and suddenly you have a dependency tree of 500 sub-packages. That is a massive attack surface. It feels like we have given up on actually vetting code because it is physically impossible to audit that much stuff. We are basically just crossing our fingers that the maintainers 4 levels deep are doing their job