Dependencies are a huge supply chain security risk; the more of them you have, and the more often you update, the bigger the attack surface.
  • Sv443@sh.itjust.worksEnglish
    15 days

    that’s why I always implement encryption myself and never update anything

  • AA5B@lemmy.worldEnglish
    15 days

    I’m not buying this. Sure minimizing dependencies is a good practice, but not updating? That’s a recipe for disaster.

    It’s important to note that you can’t predict supply chain attacks or vulnerabilities, and vulnerabilities are much more common. Also, while frequent updates might expose you to that supply chain attack more quickly, it also mitigates it more quickly. Frequent updates in combination with vulnerability scanning, and limiting downloads to reputable sources (that try to prevent supply chain attacks and discover them quickly) is a much better approach.

    There also the maintainability argument, that I’m having right now with a couple of our legacy software teams. Not updating can lock you into the past, for entire ecosystems of dependencies. You cant update if you have to, you cant take advantage of new features anywhere in the ecosystem, and it’s now an expensive emergency when something stops being maintained or has an unresolved vulnerability. If you’re being continually kept up, then choices or features are easy

    Then the goal is how do you automate your updates as smoothly as possible so they do not become noise, do not create extra work? Tools like dependabit and renovate bot have a lot of config options to help that

    • corsicanguppy@lemmy.caEnglish
      14 days

      not updating? That’s a recipe for disaster.

      Not blindly updating.

      It’s a different thing.

  • earthworm@sh.itjust.worksEnglish
    15 days

    The careful reader may note that my title is not quite accurate. It’s not every dependency you add that’s a problem; it’s every dependency you update.

    Why not put that in the title, Mr. Hoyt?

      • corsicanguppy@lemmy.caEnglish
        14 days

        Every dependency you don’t update is a zero day waiting to happen. All software carries risk.

        In the same breath you’re advocating updating without checking, and saying why that’s an issue. You … realize that, right?

        You’re so close to realising the reason enterprise distros do backports.

        • renegadespork@lemmy.jelliefrontier.netEnglish
          14 days

          you’re advocating updating without checking,

          Uh… no. That’s not what I said. I said there’s risk in both updating and not updating. You need to do the assessment to decide which one is best for the situation.