top | item 43523110

(no title)

bobnamob | 11 months ago

And now you've pulled in a full sql parser as a dependency (admittedly a dev/build time dependency, but a dependency nonetheless) in a project that has no business parsing sql.

In this day and age of increasingly rampant supply chain attacks & dependency vulnerabilities, I'd definitely be second guessing the approach of "just write a test for it" if that test involved blowing up your attack/vuln surface

discuss

kobzol|11 months ago

I don't really see an attack surface for a dev dependency.

conradludgate|11 months ago

Your development machine, potentially with API keys and access tokens in `$HOME`, is the attack surface