And the best recommendation security teams can give - keep your SBOM strict, use min release age policy (sounds more like band-aid). That's a scary world to live in.

▲

wolfi1 4 hours ago | parent | next [-]

a friend of mine has a very different solution: he codes everything by hand. he says that the time you need to research to include a new package you can actually use to code the piece you need. and he for sure doesn't have the problems of transitive dependencies

▲

supernes 2 hours ago | parent | next [-]

That's been happening to me more often too recently. I find that, for a growing number of simple problems, reinventing the wheel is faster and more efficient than importing a mature, fully-featured dependency.

▲

nicce 4 hours ago | parent | prev | next [-]

Depending of the scenario, it can be very fine. E.g. if you just need one or two function call from the dependency. However, for some complex binary protocols it might be better to stick with libraries.

▲

dgellow 4 hours ago | parent | prev | next [-]

I assume that means he genAIs all his deps? Rather than writing by hand

▲

hsbauauvhabzb 3 hours ago | parent | prev [-]

But now he needs to develop, test and maintain that code. Left pad is easily hand coded, react framework not so much.

	▲	wolfi1 3 hours ago \| parent [-]
		his projects were GUIs for machines (HMI)

▲

nicce 4 hours ago | parent | prev [-]

> keep your SBOM strict

Based on the news, seems like it is better to not include Microsoft at all in there.