Don't Be Afraid to Re-Invent the Wheel

> In the end, it makes little difference if your organization lost all its high value data due to an insecure external codebase or an insecure internal codebase. The effects are the same, devastating! However, the probabilities of occurrence can be quite different.

But there is a good chance it will matter for you!

How many people do you think got fired for the Log4J RCE for using the library. How many people got fired for the Heartbleed vulnerability for using OpenSSL?

What would have happened if you had written those vulnerabilities yourself?

Also, if you have the same vulnerabilities as everyone else, the news coverage is diluted.

If your dependency is sqlite or a webserver, don't bother. But I agree that nowaday the tendency is to import even the most trivial of things.

There is a line that has to be drawn between "depends on legendarily well tested database" and "depends on 20 pieces of random npm code where the import statement is longer than the sourcecode". Do you really need to import an external dependency that removes whitespace at the end of a string?

Unless you are one of the people who really vet their dependencies heavily surely dependencies are just used because they save you time and you trust others that it is going to be okay. This is why we need harder liability laws for software errors.