Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
kvuj 3 hours ago

The cargo.lock file is 2200+ lines long. Did they spend a reasonable amount of time auditing these dependencies?

CodesInChaos 2 hours ago | parent | next [-]

That's 238 dependencies (counting multiple versions of the same crate).

* Many of them are part of families of crates maintained by the same people (e.g. rust-crypto, windows, rand or regex).

* Most of them are popular crates I'm familiar with.

* Several are only needed to support old compiler versions and can be removed once the MSRV is raised

So it's not as bad as it looks at first glance.

shikon7 3 hours ago | parent | prev | next [-]

What would be a reasonable amount of time to audit the dependencies?

kvuj 2 hours ago | parent [-]

I would let them decide based on their security policy.

If Microsoft states that they don't have any for a project like this, I would be wary of taking it too seriously.

Andrex 3 hours ago | parent | prev | next [-]

They ran it through Copilot which gave it the all-clear.

TheSilva 3 hours ago | parent [-]

[flagged]

RoyTyrell 2 hours ago | parent [-]

Nope, that's a very fair poke at MS. They've gone so far into AI adoption that it's become absurd.

- They have VPs posting on Linkedin about rewriting existing code using AI and adhering to arbitrary metrics of a x% rewrite and laying off y% of engineers that used to work on it.

- Renaming one of their major flagship product lines (MS Office) to (MS Copilot Apps 365).

- Forcing AI features on users despite not wanting it, and overriding OS configuration that should turn it off.

- Executives publicly shaming the general public for not wanting "all the AI all the time".

adolph 3 hours ago | parent | prev | next [-]

  grep 'name = ' ms-litebox-Cargo.lock | wc -l
     238
edit:

  grep 'name = ' ms-litebox-Cargo.lock | sort -u | wc -l
     221
dizhn 3 hours ago | parent [-]

I've always done 'sort | uniq'. Never bothered to check for the the unique flag to sort. Although 'uniq -c' is quite nice to have.

       -c, --count
              prefix lines by the number of occurrences
adolph 2 hours ago | parent [-]

Yeah, to see the packages with multiple versions:

  grep 'name = ' ms-litebox-Cargo.lock | sort | uniq -c | grep -v '1 name' | sort -n
Package windows-sys has the highest number of versions included, 3: 0.59.0, 0.60.2, and 0.61.2.

Edit: Also, beware of the unsorted uniq count:

  cat <<EOF | uniq -c
  > a
  > a
  > b
  > a
  > a
  > EOF
   2 a
   1 b
   2 a
dundarious 2 hours ago | parent [-]

grep -v '1 name' excludes 11, 21, etc., but I take your point.

jrm4 2 hours ago | parent | prev [-]

Given, you know, Microsoft, I'd demand proof even if they said they did.