| ▲ | neilv 4 days ago | |||||||
> This is critical infrastructure, and it gets compromised way too often. Most times that I go to use some JS, Python, or (sometimes) Rust framework, I get a sinking feeling, as I see a huge list of dependencies scroll by. I know that it's a big pile of security vulnerabilities and supply-chain attack risk. Web development documentation that doesn't start with `npm install` seems rare now. Then there's the 'open source' mobile app frameworks that push you to use the framework on your workstation with some vendor's Web platform tightly in the loop, which all your code flows through. Children, who don't know how things work, will push any button. But experienced software engineers should understand the technology, the business context, and the real-world threats context, and at least have an uneasy, disapproving feeling every time they work on code like this. And in some cases -- maybe in all cases that aren't a fly-by-night, or an investment scam, or a hobby project on scratch equipment -- software engineers should consider pushing back against engaging in irresponsible practices that they know will probably result in compromise. | ||||||||
| ▲ | cjonas 4 days ago | parent [-] | |||||||
What does having an "uneasy disapproving feeling" actually solve? | ||||||||
| ||||||||