Yes, but it uses a massive number of libraries that were not developed at Facebook.
> But yes, with an increasing amount of dependencies the process of updating such needs more effort as well. But then, we can postpone such updates, if the application under development is safety critical...
Postponing dependency updates is very, very bad for security. That is not a solution to supply-chain attacks.
> Well, one should be able to judge about the workings imo. Otherwise maintainability can get painful in the long run.
The whole point of APIs is that we do not need to understand the inner workers of code that we're calling. How many of us use bcrypt and couldn't tell you anything about the underlying algorithm?
> Postponing dependency updates is very, very bad for security. That is not a solution to supply-chain attacks.
You are right; This underlines the thought and care some distributions put into their package management system...
> The whole point of APIs is that we do not need to understand the inner workers of code that we're calling. How many of us use bcrypt and couldn't tell you anything about the underlying algorithm?
That is right, but code written by unknown developers can be a huge risk. Of course you are not assumed to read up upon any dependency, but from external sources.
A quick glimps on the imports and dependencies goes a long way, I think.
In the end your team is responsible for security issues, even if they appear in an external dependency.
Companies with direct customer sales are spending tons of money for mitigation strategies. Maybe a chunk of this money should be spend on validating this beforehand.
Yes, but it uses a massive number of libraries that were not developed at Facebook.
> But yes, with an increasing amount of dependencies the process of updating such needs more effort as well. But then, we can postpone such updates, if the application under development is safety critical...
Postponing dependency updates is very, very bad for security. That is not a solution to supply-chain attacks.
> Well, one should be able to judge about the workings imo. Otherwise maintainability can get painful in the long run.
The whole point of APIs is that we do not need to understand the inner workers of code that we're calling. How many of us use bcrypt and couldn't tell you anything about the underlying algorithm?