alt Hacker NewsThe dependencies weren't vendored, meaning their behavior can change at any time if a malicious actor gains control of that third-party repo.
This is bad for security.
The dependencies weren't vendored, meaning their behavior can change at any time if a malicious actor gains control of that third-party repo.
This is bad for security.
Yes, I agree. And it's sadly, as we can see, still fairly standard practice to ignore it.