logoalt Hacker News

lwhitoday at 9:16 AM1 replyview on HN

I suppose it mitigates the potential risk of libraries being poisoned?


Replies

baliextoday at 10:26 AM

Well kind of, or you just end up copying the poisoned version directly into your repo rather than having it as a dependency. Same outcome.

I suppose if you're running some security analysis on code in your own repo, the fact that you've copied the code in means that it'll run on your third party dependencies too, since they no longer appear to be third party.