this post was submitted on 12 Apr 2026
12 points (92.9% liked)

Security

2039 readers
6 users here now

A community for discussion about cybersecurity, hacking, cybersecurity news, exploits, bounties etc.

Rules :

  1. All instance-wide rules apply.
  2. Keep it totally legal.
  3. Remember the human, be civil.
  4. Be helpful, don't be rude.

Icon base by Delapouite under CC BY 3.0 with modifications to add a gradient

founded 2 years ago
MODERATORS
Vacant@programming.dev
12
No one owes you supply-chain security (purplesyringa.moe)
submitted 1 day ago by codeinabox@programming.dev to c/security@programming.dev
3 comments fedilink hide all child comments
 

cross-posted from: https://lemmy.bestiver.se/post/1043778

Comments

you are viewing a single comment's thread
view the rest of the comments
[–] Kissaki@programming.dev 4 points 1 day ago

Not updating with audit would work if every direct and transient dependency provided security updates for every version. But they don't. Often, security updates are for the most recent version or versions, and if you're far behind, you now have to audit a lot more.

Transient dependencies are an audit problem, too. To audit something, you have to essentially audit recursively. Many libs use many other libs of varied authors.

Our systems are too open, too vulnerable. A build or check being able to access all resources is a fundamental systematic vulnerability.