Dependencies are a huge supply chain security risk; the more of them you have, and the more often you update, the bigger the attack surface.
  • Eager Eagle@lemmy.worldEnglish
    1·
    1 month ago

    You should probably turn off Dependabot

    Nonsense, most of these supply chain attacks are detected and have their problematic versions pulled within a few hours. Just set a cooldown period for dependabot.

    • FizzyOrange@programming.dev
      0·
      1 month ago

      I think the only mainstream language with a standard library that is both good and comprehensive is Go. All of the others either have smaller standard libraries (e.g. Rust) or poorly designed ones (Python).

      • GiorgioPerlasca@lemmy.ml
        0·
        1 month ago

        Java, .net and C++ have standard libraries that are much bigger and much more battle tested than the one of Go.

        • FizzyOrange@programming.dev
          1·
          1 month ago

          I haven’t used Java for decades and never used .net so I’ll take your word for those. Absolutely not for C++ though.

          Go’s standard library has:

          • JSON, XML, etc.
          • A web client and server
          • Bigints
          • Logging
          • JPEG, PNG and GIF
          • SQL client
          • SSH client
          • All the crypto algorithms
          • Gzip, zlib, deflate, etc.

          C++ has none of that. Hell C++ only got a function to check if a string starts with a prefix a few years ago.