That's what a package is supposed to solve, no?

Sure there are packages trying to solve 'the world' and as a result come with a whole lot of dependencies, but isn't that on whoever installs it to check?

My point was that git clone of the source can't be the solution, or you own all the code... And you can't. You always depend on something....

▲

3036e4 5 days ago | parent [-]

Your dependencies are also part of your product and your full responsibility. No one you deliver a product to will accept "it wasn't my code, it was in a dependency of one of my dependencies" as an excuse. Of course you need to depend on things, but it is insane to not keep that to a minimum.

▲

hvb2 5 days ago | parent [-]

So you're expecting to see every product affected by this to go and do a big mea culpa because one of their dependencies broke?

Like how xz was attacked, everyone pointed at that and no one said they didn't vet their dependencies.

That's the whole point, you attack a dependency that everyone relies on because it's been good and stable. That's how these pyramids build up over time.

So spoiler, it's not unlikely one of the dependencies in your minimal set gets exploited...

	▲	jen20 5 days ago \| parent [-]
		> So you're expecting to see every product affected by this to go and do a big mea culpa because one of their dependencies broke? Yes, absolutely. It's the bare minimum for people offering commercial products.