Malicious versions of Nx and some supporting plugins were published

People really need to start thinking twice when adding a new dependency. So many supply chain attacks this year.

This week, I needed to add a progress bar with 8 stats counters to my Go project. I looked at the libraries, and they all had 3000+ lines of code. I asked LLM to write me a simple progress report tracking UI, and it was less than 150 lines. It works as expected, no dependencies needed. It's extremely simple, and everyone can understand the code. It just clears the terminal output and redraws it every second. It is also thread-safe. Took me 25 minutes to integrate it and review the code.

If you don't need a complex stats counter, a simple progress bar is like 30 lines of code as well.

This is a way to go for me now when considering another dependency. We don't have the resources to audit every package update.

Part of the value proposition for bringing in outside libraries was: when they improve it, you get that automatically.

Now the threat is: when they “improve” it, you get that automatically.

left-pad should have been a major wake up call. Instead, the lesson people took away from it seems to have mostly been, “haha, look at those idiots pulling in an entire dependency for ten lines of code. I, on the other hand, am intelligent and thoughtful because I pull in dependencies for a hundred lines of code.”

So, what's the acceptable LOC count threshold for using a library?

Maybe scolding and mocking people isn't a very effective security posture after all.

Scolding and mocking is all we're left with, since two decades worth of rational arguments against these types of hazards have been dismissed as fear-mongering.

I don't think we're going to reach a point where "don't use dependencies at all" is a rational argument for most projects.

It's a good thing then that was not among the rational arguments I was referring to. Do you have other straw men on offer?