[Go Make Things] Every dependency is a potential vulnerability

Monday, June 3, 2024

Every piece of code is a potential vulnerability, really. Not just dependencies.

But code that you don't own, that's outside your control, is particularly vulnerable.

One of the big myths of using frameworks and libraries and cloud services is that you no longer have the "own" that piece of the code. You're benefiting from someone else having already solved it.

And that's true! But it's also ephemeral. As Alex Russell notes…

If it's part of your build process or shipped bundle, no part of those dependencies are ever "unowned"; they're only temporarily disavowed.

IOW, all the code that can hand you a bad day is yours, no matter the up-front price.

Or as Kartik Agaram explains…

A library you're ignorant of is a risk you're exposed to, a now-quiet frontier that may suddenly face assault from some bug when you're on a deadline and can least afford the distraction.

In a follow-up article, he elaborates…

What's not good is the expectation they all-too-frequently set with their users: go ahead, use me in production without understanding me. This expectation has ill-effects for both producers and consumers.

Libraries aren't bad. I use them often in my work!

But I do encourage my clients to be more thoughtful of which tools they choose, when they choose to use them, and when to reach for a third-party solution versus building something yourself.

I'll expand on some of these thoughts in future articles, but today I wanted to leave you with some food for thought.

And if you need help designing or building your next web project, get in touch.

Cheers,
Chris

Want to share this with others or read it later? View it in a browser.

Did someone forward this to you? Get Daily Developer Tips.

Don't want to get these emails? Totally cool. Update your subscriber preferences.

You can also unsubscribe from all emails from me, including updates to products you've purchased.

113 Cherry St #92768, Seattle, WA 98104-2205

Ad/iklan :