top | item 45595462

(no title)

Valk3_ | 4 months ago

What I'm wondering about is, if you have lots of dependencies, like in the hundreds or thousands, idk how many npm packages usually can have for the average web dev project, how do you even audit all of that manually? Sounds pretty infeasible? This is not to say we should not worry about it, I'm just genuinely curious what do you do in this situation? One could say well don't get that many dependencies to begin with, but the reality of web dev projects nowadays for instance, is that you get alot of dependencies that are hard to check manually for insecurities.

discuss

ryandrake|4 months ago

Some developers accept it as a reality, but it's only a reality if you're doing it. I think the time to figure this out is before your project gets a mess of hundreds or thousands of dependencies. Bringing in even a single dependency should be a big deal. Something you agonize over. Something you debate and study. Something you don't do unless you really, really mean it. Certainly not a casual decision. Some languages/environments make it too easy. Easy like: A single command line command and you now have a dependency. Total madness!

unknown|4 months ago

[deleted]