←back to thread

Less is safer: How Obsidian reduces the risk of supply chain attacks

(obsidian.md)
429 points saeedesmaili | 1 comments | 19 Sep 25 22:02 UTC | HN request time: 0.207s | source
Show context
doesnt_know ◴[19 Sep 25 23:38 UTC] No.45308105[source]
Going to preface this post by saying I use and love Obsidian, my entire life is effectively in an Obsidian vault, I pay for sync and as a user I'm extremely happy with it.

But as a developer this post is nonsense and extremely predictable [1]. We can expect countless others like it that explains how their use of these broken tools is different and just don't worry about it!

By their own linked Credits page there are 20 dependencies. Let's take one of those, electron, which itself has 3 dependencies according to npm. Picking one of those electron/get has 7 dependencies. One of those dependencies got, has 11 dependencies, one of those cacheable-request has 7 dependencies etc etc.

Now go back and pick another direct dependency of Obsidian and work your way down the dependency tree again. Does the Obsidian team review all these and who owns them? Do they trust each layer of the chain to pick up issues before it gets to them? Any one of these dependencies can be compromised. This is what it means to be. supply chain attack, you only have to quietly slip something into any one of these dependencies to have access to countless critical user data.

[1] https://drewdevault.com/2025/09/17/2025-09-17-An-impossible-...

replies(2): >>45308206 #>>45311295 #
1. PhilipRoman ◴[20 Sep 25 07:36 UTC] No.45311295[source]
To be fair, the electron project likely invests some resources in reviewing it's own dependencies, because of its scale. But yeah this is a good exercise, I think we need more systems like Yocto which prioritize complete understanding of the entire product from source.