With all the supply chain attacks happening lately (litellm being the most recent example) keeping dependencies up to date without risk has been on my mind. Below is everything I do to keep my personal projects secure, what we do at Fencer to keep our own codebase secure, and what we recommend to the startups we work with. Be hesitant about what you add The best way to reduce the risk of installing a compromised dependency is to avoid relying on it in the first place. Before adding a new dependency, I first make sure that implementing it ourselves would be too much work (or tokens!).
No comments yet. Log in to reply on the Fediverse. Comments will appear here.