This comes up all the time on HN and I’m always shocked[1] at how controversial an idea it is that the developer is responsible for knowing what they are shipping in their dependencies. “Oh, woe, how can you audit all of your dependencies and their dependencies and know what’s in them?? Oh it’s impossible! There is no way to solve this!”
Too few devs are really careful about their dependencies and do good due diligence when evaluating them for suitability. Everyone else is just “Hey our problem is solved by this one. YOLO! Link it and ship it LOL!” I’ve seen projects that link and ship binary dependencies without even being able to inspect the source. This is, to me, totally insane. But standard practice in a lot of places!
While I totally agree with what you say here, I think it goes deeper. Some devs/shops are complicit in this, knowingly adding dependencies for shady reasons.
Too few devs are really careful about their dependencies and do good due diligence when evaluating them for suitability. Everyone else is just “Hey our problem is solved by this one. YOLO! Link it and ship it LOL!” I’ve seen projects that link and ship binary dependencies without even being able to inspect the source. This is, to me, totally insane. But standard practice in a lot of places!
1: https://news.ycombinator.com/item?id=21439953