←back to thread

Less is safer: How Obsidian reduces the risk of supply chain attacks

(obsidian.md)
429 points saeedesmaili | 2 comments | 19 Sep 25 22:02 UTC | HN request time: 0.591s | source
1. scuff3d ◴[20 Sep 25 00:07 UTC] No.45308316[source]
This doesn't make any sense to me. I've always been told you don't write anything yourself unless you absolutely have to and having a million micro-dependencies is a good thing. JavaScript and now Rust devs have been saying this for years. Surely they know what they're doing...
replies(1): >>45311262 #
2. elric ◴[20 Sep 25 07:28 UTC] No.45311262[source]
There is a balance to be struck. NPM in particular has been a veritable dependency hell for a long time. I don't know if it just attracts inexperienced developers, or if its security model is fundamentally flawed, but there have been soooo many supply chain attacks using NPM that being extra careful is very much warranted.