Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

   > Modern languages like Zig, Gleam, and Roc offer genuine productivity benefits and attract top talent. As a bonus, their ecosystems are young enough that security tooling has not caught up yet. Dependabot will add support eventually, but until then you get the best of both worlds: a modern stack and a quiet PR queue.
How the hell is that actually a good thing? You might as well just use another language and disable Dependabot security updates if that's what you're looking for. Dependabot security updates aren't a liability, they're an asset in a world where developers use hundreds of dependencies daily, where every few months one of them is going to have a XSS or RCE vulnerability that has to be patched ASAP.

   > And if you are really concerned about a dependency’s security, you can always rewrite it yourself in Rust over a weekend.
That's not how it works. Honestly, this blog post gets me really worried about this developer's projects and clients.

   > Remove lockfiles from version control
What the fuck.




I'm pretty sure the article is joking

> If the vulnerability were critical, someone would have merged it by now.

> GitHub Copilot can automatically suggest fixes for security vulnerabilities. Instead of updating to a patched version, let AI generate a workaround in your own code.

reply


   > I'm pretty sure the article is joking
Went right over my head LOL it actually made me angry reading it earlier hahaha

Well, that makes a lot of sense. I guess I didn't take it as a joke because I've seen some of these things recommended before (including not checking in lockfiles) in other contexts.

reply


I started to reevaluate the seriousness of this advice with the going to jail prompt. I probably should have caught on sooner :)

reply


I didn't manage to get to that point of the article out of pure anger... He got me all right LOL

reply


The "> Remove lockfiles from version control" got me as well.

> Reproducible builds sound nice in theory, but velocity matters more than determinism. Think of it as chaos engineering for your dependency tree.

Reproducible builds are nice in practice, too. :) In the Node.js ecosystem, if you have enough dependencies, even obeying semver your dependencies will break your code. Pinning to specific versions is critical.

reply


Thank you for expressing my thoughts as well. The article seems to be full of contradictory “advice”.

Use a dependency cooldown, okay … but don’t commit your lockfile so you are always running the latest transitive deps? That’s nuts.

reply


Depends on the package manager. With some you'll get the oldest transitive deps that meet all dependency requirements, not the newest.

reply


How did you reach "Set open-pull-requests-limit to zero" and not recognize this as satire?

reply


You wouldn't believe how many of these things I've seen seriously recommended before. Also, I do have difficulty detecting sarcasm sometimes (even though I'm very fond of it).

Lovely article :)

reply




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: