Want to actually level up your coding skills? Get 40% OFF CodeCrafters and build real-world projects: https://app.codecrafters.io/join?via=codehead-01

Check out Mobbin and get acces to the BIGGEST app design library: https://www.mobbin.com/?via=codehead

Buy this tired Code Head a ☕: https://buymeacoffee.com/codehead


Socket.dev article 👉 https://socket.dev/blog/wget-to-wipeout-malicious-go-modules-fetch-destructive-payload

CodeHead

Golang is under scrutiny due to vulnerabilities exposed by a malicious package. Unlike other ecosystems, Go modules are fetched directly from version control systems without central oversight, making them susceptible to security risks. Users are advised to audit packages thoroughly before installing them as Go lacks built-in safeguards. Despite its simplicity and efficiency, the language's dependency handling is deemed naive.

The GO Situation Is CRAZY...

I’ll kick off with an appropriate quote:
<blockquote>
'Well, boohoo. I am so sorry your feelings are hurt, princess.&quot;
Bobby Singer, Supernatural
</blockquote>
Switching a language for this is like to stop using knives because you cut yourself once.
You’re supposed to check any 3rd party code and sandbox your dev environment. You can’t blame the language for a developer being stupid or lazy.

Honestly, I don’t reaaally need auto security audits on every single Go package I’m considering
Go already sets it up so it’s like, extraordinarily easy to write anything raw on top of the stdlib, so the projects I wrote really only needed like 1-2 explicit dependencies, and they felt more like helpful wrappers than anything
It’s not like npm where there’s terabytes of weekly traffic for libraries that just cast to int or whatever
Of course, if a lib I use actually imports a backdoor, that would be a problem, but the only libs I need are actually very well reviewed and worked on every day, and how often does this kinda thing even happen?
I mean, would have no problem with them making it a bit safer someday either, does sound important and I love feeling secure, but Go doesn’t need these things as much as other environments do

when this happens to GO: there, there! you poor thing!
when this happens to Javascript: YOU FUCKING DONKEY!

I would like to know which language with a centralized package store is doing audit or any kind of security check…
Please let me know, I am very curious about that.
It is a bit like you are saying git is not good because the public repo you could pull is potentially unsafe.

This is a feature not a bug. No one company should control all packaging for a language.