<![CDATA[Weekend at Bernie's - Which of your dependencies are wearing sunglasses?]]>Weekend at Bernie's - Which of your dependencies are wearing sunglasses?

Link Preview Image
Weekend at Bernie’s

Which of your dependencies are wearing sunglasses

favicon

Andrew Nesbitt (nesbitt.io)

]]>https://board.circlewithadot.net/topic/c3d12578-f444-4cc0-80c2-7c5d39c00939/weekend-at-bernie-s-which-of-your-dependencies-are-wearing-sunglassesRSS for NodeFri, 15 May 2026 08:47:31 GMTFri, 08 May 2026 11:02:02 GMT60<![CDATA[Reply to Weekend at Bernie's - Which of your dependencies are wearing sunglasses? on Fri, 08 May 2026 16:23:29 GMT]]>The code I used to collect and query this data from @ecosystems is here: https://github.com/andrew/weekend-at-bernies

]]>https://board.circlewithadot.net/post/https://mastodon.social/users/andrewnez/statuses/116539877597732579https://board.circlewithadot.net/post/https://mastodon.social/users/andrewnez/statuses/116539877597732579Fri, 08 May 2026 16:23:29 GMT<![CDATA[Reply to Weekend at Bernie's - Which of your dependencies are wearing sunglasses? on Fri, 08 May 2026 16:02:28 GMT]]>@andrewnez That's a nice conundrum:

Declare a tight version range and get hit by vulnerabilities because new versions are not downloaded;

Or accept (patch) updates and get hit because a vulnerable update is downloaded (f.e. due to a supply chain attack).

]]>https://board.circlewithadot.net/post/https://genart.social/users/aerique/statuses/116539794915811584https://board.circlewithadot.net/post/https://genart.social/users/aerique/statuses/116539794915811584Fri, 08 May 2026 16:02:28 GMT<![CDATA[Reply to Weekend at Bernie's - Which of your dependencies are wearing sunglasses? on Fri, 08 May 2026 15:50:20 GMT]]>@donaldball @bagder if you read the post you’ll see that I definitely consider that, it’s about how responsive the maintainers are, not just how often they are committing/releasing

]]>https://board.circlewithadot.net/post/https://mastodon.social/users/andrewnez/statuses/116539747261685830https://board.circlewithadot.net/post/https://mastodon.social/users/andrewnez/statuses/116539747261685830Fri, 08 May 2026 15:50:20 GMT<![CDATA[Reply to Weekend at Bernie's - Which of your dependencies are wearing sunglasses? on Fri, 08 May 2026 15:48:08 GMT]]>@andrewnez @bagder Maybe worth observing that there are mature language ecosystems (clojure, elixir) where folk are culturally quite careful about dependencies, and often times a package not being changed for years is a sign not of abandonment, but that the package is finished.

]]>https://board.circlewithadot.net/post/https://triangletoot.party/users/donaldball/statuses/116539738607840281https://board.circlewithadot.net/post/https://triangletoot.party/users/donaldball/statuses/116539738607840281Fri, 08 May 2026 15:48:08 GMT<![CDATA[Reply to Weekend at Bernie's - Which of your dependencies are wearing sunglasses? on Fri, 08 May 2026 14:30:38 GMT]]>@andrewnez could I get access to the list of dead critical repos in the Cargo ecosystem (ideally in order of criticality)? Seems very relevant to my RustSec work.

]]>https://board.circlewithadot.net/post/https://hachyderm.io/users/djc/statuses/116539433872644447https://board.circlewithadot.net/post/https://hachyderm.io/users/djc/statuses/116539433872644447Fri, 08 May 2026 14:30:38 GMT<![CDATA[Reply to Weekend at Bernie's - Which of your dependencies are wearing sunglasses? on Fri, 08 May 2026 12:03:30 GMT]]>@andrewnez I had a bot write skip-trace to try to track down who in the real world owns a package. A lot of the package repos
- don't care who owns the package
- want to protect privacy

Is Mr Anonymous dead? How can you know anything about someone you know nothing about?

provides no messaging system itself. But does have a package takeover process that depends on messaging!

Client Challenge

favicon

(pypi.org)

]]>https://board.circlewithadot.net/post/https://mastodon.social/users/mistersql/statuses/116538855262370834https://board.circlewithadot.net/post/https://mastodon.social/users/mistersql/statuses/116538855262370834Fri, 08 May 2026 12:03:30 GMT