(obsidian.md)

469 points saeedesmaili | 1 comments | 19 Sep 25 22:02 UTC | HN request time: 0.206s | source

Show context

montroser ◴[19 Sep 25 23:28 UTC] No.45308028[source]▶

Yes, you are responsible for all the code you ship to your users. Not pinning dependencies is asking for trouble. It is literally, "download random code from the Internet and hope for the best."

replies(2): >>45308117 #>>45308136 #

Scramblejams ◴[19 Sep 25 23:42 UTC] No.45308136[source]▶

>>45308028 #

Pinning dependencies also means you're missing any security fixes that come in after your pinned versions. That's asking for trouble too, so you need a mechanism by which you become aware of these fixes and either backport them or upgrade to versions containing them.

replies(4): >>45308253 #>>45309891 #>>45310841 #>>45312407 #

1. skydhash ◴[20 Sep 25 11:34 UTC] No.45312407[source]▶

>>45308136 #

> so you need a mechanism by which you become aware of these fixes and either backport them or upgrade to versions containing them

RSS Feeds?

↑

Less is safer: How Obsidian reduces the risk of supply chain attacks