| ▲ | 3036e4 5 days ago | |||||||
Your dependencies are also part of your product and your full responsibility. No one you deliver a product to will accept "it wasn't my code, it was in a dependency of one of my dependencies" as an excuse. Of course you need to depend on things, but it is insane to not keep that to a minimum. | ||||||||
| ▲ | hvb2 5 days ago | parent [-] | |||||||
So you're expecting to see every product affected by this to go and do a big mea culpa because one of their dependencies broke? Like how xz was attacked, everyone pointed at that and no one said they didn't vet their dependencies. That's the whole point, you attack a dependency that everyone relies on because it's been good and stable. That's how these pyramids build up over time. So spoiler, it's not unlikely one of the dependencies in your minimal set gets exploited... | ||||||||
| ||||||||