Less is safer: How Obsidian reduces the risk of supply chain attacks

(obsidian.md)

421 points saeedesmaili | 1 comments | 19 Sep 25 22:02 UTC | HN request time: 0.204s | source

Show context

montroser ◴[19 Sep 25 23:28 UTC] No.45308028[source]▶

Yes, you are responsible for all the code you ship to your users. Not pinning dependencies is asking for trouble. It is literally, "download random code from the Internet and hope for the best."

replies(2): >>45308117 #>>45308136 #

lelandfe ◴[19 Sep 25 23:39 UTC] No.45308117[source]▶

>>45308028 #

Pinned dependencies usually have their own dependencies so you are generally always downloading random code and hoping.

I mean, jeeze, how much code comes along for the ride with Electron...

replies(2): >>45308189 #>>45309458 #

1. chrisweekly ◴[20 Sep 25 02:05 UTC] No.45309458[source]▶

>>45308117 #

No. "Always downloading random code and hoping" is not the only option. Even w/ the supply-chain shitshow that the public npmjs registry has become, using pnpm and a private registry makes it possible to leverage a frozen lockfile that represents the entire dependency graph and supports vulnerability-free reproducible builds.

EDIT to add: Of course, reaching a state where the whole graph is free of CVEs is a fleeting state of affairs. Staying reasonably up-to-date and using only scanned dependencies is an ongoing process that takes more effort and attention to detail than many projects are willing or able to apply; but it is possible.

↑