I remember back in my MacOS dev days being told that I should be using CocoaPods and when I told them that was a stupid idea (I had like 3 dependencies and regularly poked around in the source for all of them) I was the old fashioned old man. “But it automates all the updates!”. So what? There’s 3. a) I don’t need it, it’s super easy to pull changes from source and b) when I do it manually I actually *look* at the updates like a sane person would https://arstechnica.com/?p=2034866

Of course there’s no reason you can’t use automated package managers *and* do the kind of due diligence a responsible developer would do when pulling code from third parties into their project, but I don’t think I’ve ever seen anyone do this. Instead it seems normal to implicitly trust anything that comes out of a package management system no matter who controls it and that’s always been wild to me.

And the thing is, the number of external dependencies (and their update volume) that you can realistically, properly vet for inclusion in your project, is inherently small enough that you don’t need a package manager. And if you need a package manager to handle it all, you can’t be checking what you’re pulling in and so you’re definitely vulnerable.

“Vetting” can mean delegating due diligence to the publisher (or repackager) rather than personally reading the source, but that means vetting the publisher instead. And there is a finite number of those that you can maintain vetted trust in at any one time. You can’t just assume that the “community” somehow automatically protects you against bad actors. It might, but it’s been shown many times that it might not; sometimes everyone thinks someone else would have spotted a problem and no-one does

@sinbad Rust also seems to use that "hundreds of tiny libs" model - I wonder if they do something to ensure security or if in the end it's the same mess as everywhere else