Comment by bauruine

2 years ago

There is still the chance that the person that created the 4 line dependency also just copy pasted it from the flawed StackOverflow answer. Or is the same person or is also just a random person creating the package like the random person that created the SO answer. I'm not sure why random_person1 should be more trustworthy to produce non flawed code than random_person2.

OTO: It's at least easily upgrade able so it has an advantage.

4 comments

bauruine

corbezzoli 2 years ago

> There is still the chance

There's no chance if you avoid random_person1 and use known_oss_provider’s package instead. At the very least, look at the tests.

Any package with tests is guaranteed to be more correct than a never-before-run SO answer.

JimDabell 2 years ago
There is still the chance. As the article states, OpenJDK copied from the Stack Overflow answer.
- ziml77 2 years ago
  
  Sure, but if OpenJDK is exposing that function then anyone who is using it will get the correct output when OpenJDK fixes the problem. If everyone copies the function into their own code then in many cases it's likely to never be corrected.
envsubst 2 years ago

What if you write the code and test in your project?