https://pantsbuild.org/ logo
#development
Title
# development
h

hundreds-father-404

11/05/2021, 4:00 PM
What do people think about Pants in general shaving off some of its third-party dependencies? Even though the dep set is already small and from trusted libraries, seeing an attack like this after another attack last week has made me sour on third-party deps. Plus they increase the install time for Pants https://www.bleepingcomputer.com/news/security/popular-coa-npm-library-hijacked-to-steal-user-passwords/
I know lockfiles help a lot to reduce the risk of supply chain attacks
Some of our deps seem too hard to replace like PyYAML, but others seem reasonable like ansicolors (vendor what we use) and setproctitle (do it in rust)
Not necessarily that this is high priority thanks to lockfiles and the set being small. But curious the general direction to go
w

witty-crayon-22786

11/05/2021, 4:04 PM
on the python side i’d like to reduce deps for purely practical reasons (i expect that it will make it easier to statically link)
💯 1
in general though, i’m not sure there are any good rules of thumb we can follow, beyond “be thoughtful about taking on deps”
👍🏻 1
👍 1
the rust crate ecosystem makes it very hard to abstain.
1
b

bitter-ability-32190

11/05/2021, 4:36 PM
Vendoring deps helps, and usually most python libs have permissive licenses
Additionally, JS/TS seems more of a target than Python. (not that is an excuse not to care)
👍 1
w

witty-crayon-22786

11/05/2021, 4:42 PM
we haven’t taken a swing at it recently, but the medium term ambition is https://github.com/pantsbuild/pants/issues/7369
b

bitter-ability-32190

11/05/2021, 4:42 PM
Yeah I'm subscribed to that thread. VERY excited to see progress 🤓
w

witty-crayon-22786

11/05/2021, 4:43 PM
the PyOxidizer maintainer has been making steady progress, so it’s likely due for another attempt
💪 2
f

flat-zoo-31952

11/05/2021, 5:03 PM
Vendoring deps helps, and usually most python libs have permissive licenses
Vendoring deps exposes you to CVEs discovered after you copy the source into your code, unless you're very proactive about backporting fixes to your vendored fork. Lockfiles + cautiously optimistic upgrades powered by things like dependabot is probably a safer route
🤔 1
The NPM ecosystem is a bigger threat to this, but that just seems to be because they make a tiny little package for everything in that world, and the stdlib is so weak that even those little packages tend to have tons of transitive deps... so it's very easy to end up dragging in something bad
1
b

bitter-ability-32190

11/05/2021, 7:54 PM
172,700 weekly downloads of `is-even`: https://www.npmjs.com/package/is-even
😢 1