What do people think about Pants in general shavin...
# developmenth
hundreds-father-404
11/05/2021, 4:00 PMWhat do people think about Pants in general shaving off some of its third-party dependencies? Even though the dep set is already small and from trusted libraries, seeing an attack like this after another attack last week has made me sour on third-party deps. Plus they increase the install time for Pants
https://www.bleepingcomputer.com/news/security/popular-coa-npm-library-hijacked-to-steal-user-passwords/
hundreds-father-404
11/05/2021, 4:01 PMI know lockfiles help a lot to reduce the risk of supply chain attacks
hundreds-father-404
11/05/2021, 4:02 PMSome of our deps seem too hard to replace like PyYAML, but others seem reasonable like ansicolors (vendor what we use) and setproctitle (do it in rust)
hundreds-father-404
11/05/2021, 4:03 PMNot necessarily that this is high priority thanks to lockfiles and the set being small. But curious the general direction to go
w
witty-crayon-22786
11/05/2021, 4:04 PMon the python side i’d like to reduce deps for purely practical reasons (i expect that it will make it easier to statically link)
💯 1
witty-crayon-22786
11/05/2021, 4:04 PMin general though, i’m not sure there are any good rules of thumb we can follow, beyond “be thoughtful about taking on deps”
👍🏻 1
👍 1
witty-crayon-22786
11/05/2021, 4:05 PMthe rust crate ecosystem makes it very hard to abstain.
➕ 1
b
bitter-ability-32190
11/05/2021, 4:36 PMVendoring deps helps, and usually most python libs have permissive licenses
bitter-ability-32190
11/05/2021, 4:37 PMAdditionally, JS/TS seems more of a target than Python. (not that is an excuse not to care)
👍 1
w
witty-crayon-22786
11/05/2021, 4:42 PMwe haven’t taken a swing at it recently, but the medium term ambition is https://github.com/pantsbuild/pants/issues/7369
b
bitter-ability-32190
11/05/2021, 4:42 PMYeah I'm subscribed to that thread. VERY excited to see progress 🤓
w
witty-crayon-22786
11/05/2021, 4:43 PMthe PyOxidizer maintainer has been making steady progress, so it’s likely due for another attempt
💪 2
f
flat-zoo-31952
11/05/2021, 5:03 PMVendoring deps helps, and usually most python libs have permissive licensesVendoring deps exposes you to CVEs discovered after you copy the source into your code, unless you're very proactive about backporting fixes to your vendored fork. Lockfiles + cautiously optimistic upgrades powered by things like dependabot is probably a safer route
🤔 1
flat-zoo-31952
11/05/2021, 5:06 PMThe NPM ecosystem is a bigger threat to this, but that just seems to be because they make a tiny little package for everything in that world, and the stdlib is so weak that even those little packages tend to have tons of transitive deps... so it's very easy to end up dragging in something bad
➕ 1
b
bitter-ability-32190
11/05/2021, 7:54 PM172,700 weekly downloads of `is-even`: https://www.npmjs.com/package/is-even
😢 1