(Draft) I'm a trusting person, but not with dependencies

Third-party dependencies aren’t just helpful, they’re the backbone of modern software development. They let us build faster, standing on the shoulders of brilliant open-source contributors. But every time we install a package, we also invite someone else’s code into our app, and with it, their bugs, their decisions, and their security holes.

I didn’t think much about this, until recently reading a Linkedin post about someone tricking interviewees into installing their dodgy repo. Also, eslint-config-prettier issue has raised my concern. Lastly, I’ve released my VSCarbon (a VS Code extension, repo is here) and cared more about security. That’s why I stop trusting blindly dependencies.

• Watch for unknown or very new packages with few downloads
• (optional) Test unknown projects in a Docker sandbox

# start a bash shell inside the container, auto delete after exit
docker run --rm -it node:20 bash
# inside container
npm install
npm audit

• Use tools like npq to audit npm packages before installing

npx npq install some-new-lib

• Lock version. package-lock.json used to confuse me. Lock files provide a record of which versions of dependencies are in use, making it easier to audit and roll back, preventing accidental introduction of newer versions that might contain vulnerabilities