Comment by doodlesdev

9 hours ago 

   > Modern languages like Zig, Gleam, and Roc offer genuine productivity benefits and attract top talent. As a bonus, their ecosystems are young enough that security tooling has not caught up yet. Dependabot will add support eventually, but until then you get the best of both worlds: a modern stack and a quiet PR queue.

How the hell is that actually a good thing? You might as well just use another language and disable Dependabot security updates if that's what you're looking for. Dependabot security updates aren't a liability, they're an asset in a world where developers use hundreds of dependencies daily, where every few months one of them is going to have a XSS or RCE vulnerability that has to be patched ASAP.

   > And if you are really concerned about a dependency’s security, you can always rewrite it yourself in Rust over a weekend.

That's not how it works. Honestly, this blog post gets me really worried about this developer's projects and clients.

   > Remove lockfiles from version control

What the fuck.

9 comments

doodlesdev

Reply
wirelesspotat  9 hours ago

I'm pretty sure the article is joking

> If the vulnerability were critical, someone would have merged it by now.

> GitHub Copilot can automatically suggest fixes for security vulnerabilities. Instead of updating to a patched version, let AI generate a workaround in your own code.

  • doodlesdev  1 hour ago 

       > I'm pretty sure the article is joking

    Went right over my head LOL it actually made me angry reading it earlier hahaha

    Well, that makes a lot of sense. I guess I didn't take it as a joke because I've seen some of these things recommended before (including not checking in lockfiles) in other contexts.

lanyard-textile  9 hours ago

I started to reevaluate the seriousness of this advice with the going to jail prompt. I probably should have caught on sooner :)

  • doodlesdev  1 hour ago

    I didn't manage to get to that point of the article out of pure anger... He got me all right LOL

equinumerous  9 hours ago

The "> Remove lockfiles from version control" got me as well.

> Reproducible builds sound nice in theory, but velocity matters more than determinism. Think of it as chaos engineering for your dependency tree.

Reproducible builds are nice in practice, too. :) In the Node.js ecosystem, if you have enough dependencies, even obeying semver your dependencies will break your code. Pinning to specific versions is critical.

williamjackson  9 hours ago

Thank you for expressing my thoughts as well. The article seems to be full of contradictory “advice”.

Use a dependency cooldown, okay … but don’t commit your lockfile so you are always running the latest transitive deps? That’s nuts.

  • Uvix  7 hours ago

    Depends on the package manager. With some you'll get the oldest transitive deps that meet all dependency requirements, not the newest.

yunwal  8 hours ago

How did you reach "Set open-pull-requests-limit to zero" and not recognize this as satire?

  • doodlesdev  1 hour ago

    You wouldn't believe how many of these things I've seen seriously recommended before. Also, I do have difficulty detecting sarcasm sometimes (even though I'm very fond of it).

    Lovely article :)