> Postponing dependency updates is very, very bad for security. That is not a solution to supply-chain attacks.
You are right; This underlines the thought and care some distributions put into their package management system...
> The whole point of APIs is that we do not need to understand the inner workers of code that we're calling. How many of us use bcrypt and couldn't tell you anything about the underlying algorithm?
That is right, but code written by unknown developers can be a huge risk. Of course you are not assumed to read up upon any dependency, but from external sources.
A quick glimps on the imports and dependencies goes a long way, I think.
In the end your team is responsible for security issues, even if they appear in an external dependency.
Companies with direct customer sales are spending tons of money for mitigation strategies. Maybe a chunk of this money should be spend on validating this beforehand.
You are right; This underlines the thought and care some distributions put into their package management system...
> The whole point of APIs is that we do not need to understand the inner workers of code that we're calling. How many of us use bcrypt and couldn't tell you anything about the underlying algorithm?
That is right, but code written by unknown developers can be a huge risk. Of course you are not assumed to read up upon any dependency, but from external sources. A quick glimps on the imports and dependencies goes a long way, I think. In the end your team is responsible for security issues, even if they appear in an external dependency. Companies with direct customer sales are spending tons of money for mitigation strategies. Maybe a chunk of this money should be spend on validating this beforehand.