This Week I Learned: Dependency Hell As Anti-war Protest [2022–03–25]
Dependency management in software continues to be one of those things that mostly works fine once it’s set up, and that we mostly don’t think about, but that is absolutely terrifying if we think hard about what’s actually happening.
A lot of us are blindly running code written by strangers on the internet, that those strangers can arbitrarily update at a time of their choosing. I’m probably doing it too, somewhere, without wanting to. We probably all are.
This week’s brown-pants moment is brought to us by a prolific coder who decided to protest Russia’s actions in Ukraine by releasing new versions of Node packages that delete all files on the computers where they’re run, if those computers are in Russia or Belarus. Furthermore, it turns out that the popular Vue.js was configured to use the latest version, amplifying the effect.
