Comment by dcow

In the context I work, I expect external software to be audited when incorporated into a project. It should be a significant decision backed by clear rationale to depend on someone else’s code not simply a convenience because we’re all lazy devs. I review diffs when updating library versions and guide people to prefer writing in-house solutions over including pop-software libraries. I hold my team accountable for the software they produce. I don’t disagree that everything works better when we all play nice, but I also don’t agree with deflecting the blame when your software is compromised because it doesn’t actually solve the problem and allows the same poor habits to continue unchecked. If you don’t understand a dependency enough to implement it yourself were it to disappear or break, you shouldn’t be using it.