In case you’re unaware, I’m not a developer. I’m actually an autistic catgirl annoyed by suboptimal use of computing power, and fixing that happens to involve programming. Crucially, it also includes discussing foundational technology with people behind the scenes, and apparently that makes me more aware of social aspects of this sphere.
So, I have opinions about criticism of crates.io for supply-chain attacks. After a dozen similar articles, I have some select words to voice about why it’s off the mark.
Not updating with audit would work if every direct and transient dependency provided security updates for every version. But they don’t. Often, security updates are for the most recent version or versions, and if you’re far behind, you now have to audit a lot more.
Transient dependencies are an audit problem, too. To audit something, you have to essentially audit recursively. Many libs use many other libs of varied authors.
Our systems are too open, too vulnerable. A build or check being able to access all resources is a fundamental systematic vulnerability.