deps.dev does an absolutely terrible job with Go dependencies. It thinks modules are the unit of dependency rather than packages. Consequentially, it reports vulnerabilities in packages that are never even imported. For example, https://deps.dev/go/filippo.io%2Fsunlight shows a "9.1 CRITICAL" vulnerability in a supposed SSH dependency from a project that has nothing to do with SSH.
I don't know how well this makes you understand your dependencies. As for C/C++ a lot of people probably depend on stb single header files libraries. There's stb_truetype but it specifically mentions not to use it on any untrusted/outside .ttf files which I do like but you have to keep in mind to bake to bitmaps or only use your own .ttf provided files, thus I would put this dependency in another place like tooling. Is there a way to do this in other languages like JS and NPM? Maybe carefully choosing which dependencies you include is better?
That is a trade off as if you need something you either need to depend on it, or write something to do it yourself. One way you have a dependency, the other way a lot more code to maintain.
I go back and forth on what is best. I constantly hit issues that make me regret which every choice I made for that one thing.
deps.dev does an absolutely terrible job with Go dependencies. It thinks modules are the unit of dependency rather than packages. Consequentially, it reports vulnerabilities in packages that are never even imported. For example, https://deps.dev/go/filippo.io%2Fsunlight shows a "9.1 CRITICAL" vulnerability in a supposed SSH dependency from a project that has nothing to do with SSH.
Google ought to be embarrassed by this, especially when govulncheck <https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck> exists and actually checks whether vulnerable code is reachable.
I don't know how well this makes you understand your dependencies. As for C/C++ a lot of people probably depend on stb single header files libraries. There's stb_truetype but it specifically mentions not to use it on any untrusted/outside .ttf files which I do like but you have to keep in mind to bake to bitmaps or only use your own .ttf provided files, thus I would put this dependency in another place like tooling. Is there a way to do this in other languages like JS and NPM? Maybe carefully choosing which dependencies you include is better?
https://github.com/nothings/stb/blob/master/stb_truetype.h#L...
Maybe :)
Dependencies is something you learn to be VERY careful with, sooner or later.
Surprising that Click https://deps.dev/pypi/click/8.1.8 is listed as "license unknown" - https://pypi.org/project/click/ knows that it's BSD.
no dependency is more understandable than the dependency that doesn’t exist
That is a trade off as if you need something you either need to depend on it, or write something to do it yourself. One way you have a dependency, the other way a lot more code to maintain.
I go back and forth on what is best. I constantly hit issues that make me regret which every choice I made for that one thing.