Dependencies are a huge supply chain security risk; the more of them you have, and the more often you update, the bigger the attack surface.

Lobsters is a community-driven platform for sharing and discussing links to articles, tutorials, and projects related to technology and programming. Readers can learn about a wide range of topics, from software development and system administration to cybersecurity and artificial intelligence. With user submissions, comments, and voting, Lobsters provides a platform for collaborative learning and knowledge sharing among technology enthusiasts.

Lobsters

Third-party dependencies represent a significant supply chain security risk. Recent incidents like the XZ backdoor, the Trivy compromise, and LiteLLM being affected illustrate how both runtime and dev dependencies can be weaponized. The real danger isn't just adding dependencies but automatically updating them with tools like Dependabot, which can introduce compromised versions with little review. The recommendation is to turn off automatic dependency updates, be selective about adding new dependencies, and prefer copying small amounts of code over introducing new libraries.

Every dependency you add is a supply chain attack waiting to happen