You can trust (in time), but you can't blindly upgrade. Vendor or choose to "loc... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		jrockway 8 months ago \| parent \| context \| favorite \| on: Tj-actions/changed-files GitHub Action Compromised... You can trust (in time), but you can't blindly upgrade. Vendor or choose to "lock" with a cryptographic hash over the files your build depends on. You then need to rebuild that trust when you upgrade (wait until everyone else does; read the diffs yourself). There is something to be said for the Go proverb "a little copying is better than a little dependency", as well. If you want a simple function from a complicated library, you can probably copy it into your own codebase.

ronjouch 8 months ago [–]

> the Go proverb "a little copying is better than a little dependency"

What a nice way to put it! Thanks for the mention and thanks for making me discover https://go-proverbs.github.io/ .

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact