The Chonkerton

Dependencies should be fetched directly from VCS

dev_tools

A developer on Hacker News argues that software dependencies should be fetched directly from version control systems—like GitHub—rather than from centralized package registries. The pitch is security. Registries are concentrated targets: compromise a single popular package or account, and malware reaches thousands of dependent projects at once. Fetching code straight from source repositories eliminates that single point of failure. The cost is friction in dependency management, but according to this argument, that's a worthy trade for supply chain security.

Source: https://www.arp242.net/deps-vcs.html

Listen to this story

Hear this and more stories in a personalized audio briefing.

Open The Chonkerton