As someone who works for a dod contractor this whole situation sounds crazy. Just because something is available as a crate doesnt mean you are to assume it safe or appropriate for your use. The onus of verifying the dependencies should always be on the consumer.
Haha - also a dod contractor, and sometimes wonder whether I'm the insane one who can't handle the wild west behavior of HN people surrounding npm packages...
I have some side projects that use react and I dont mind cuz they are small time and react is fun, but seeing that list of dependencies scroll on the terminal makes me extremely uneasy everytime.
No, you guys aren’t the only ones. Not currently a defense contractor but was one in a previous life. Whenever I read articles and comments here on HN about dependency management I break out into sweats. It’s shocking how cavalier people are about pulling in third party dependencies, and this dismissive attitude about risk management: what exactly it is that the dependencies do, how suitable they really are for the project, what happens if they become not suitable (contingency plans), how auditable and traceable changes are, etc.
It’s just “npm install” and YOLO for a lot of developers!
