Dependencies

Josh discusses updating open source dependencies with Jamie Tanna. Jamie works on Renovate which gives them a lot of insight into the challenges of keeping your open source updated. We discuss the challenges of semantic versioning, supply chain security, and AI-generated code. If you’re new or old to the world of open source dependencies, there’s something to learn from this chat. Episode Links Jamie Tanna Versioning: We Did It To Ourselves XKCD Workflow This episode is also available as a podcast, search for “Open Source Security” on your favorite podcast player. ...

I keep seeing commentary about AI making open source dependencies obsolete. The idea is that instead of using an open source dependency, the AI will just write all the code you need. No more need for that random person in Nebraska. They can finally take a well deserved break! Some people think this is inevitable, some think it’s hogwash. I like to take the stance of disliking everything equally. But to better understand all of this, let’s break it up into a few possible outcomes. There are 4 basic things that could happen if we take these arguments to their ridiculous extremes. ...

Josh and Kurt talk about the binary nature of security. Many of our ideas are yes or no, there’s not much in the middle. The conversation ends up derailed due to a Twitter thread about pinning dependencies. This gives you an idea how contentious of a topic pinning is. The final takeaway is not to let security turn into your identity, it ends up making a mess. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_317_The_lack_of_compromise_in_security.mp3 Show Notes Josh’s Twitter thread How to install week old npm packages