Every dependency you add is a supply chain attack waiting to happen
Every dependency you add is a supply chain attack waiting to happen April 2026 In my essay “The small web is beautiful”, I discussed how using fewer dependencies makes programs smaller. But it also makes them safer. As we’ve seen recently, third-party libraries can and do get compromised. We saw this on a grand scale with the XZ backdoor, and we’ve seen it more recently with the Trivy incident and with LiteLLM being compromised (which was actually caused by Trivy). The interesting thing about Trivy is that it’s not even a runtime dependency; it’s a dev dependency. But a compromise in a dev dependency can still steal credentials and take over projects. The careful reader may note that my title is not quite accurate. It’s not every dependency you add that’s a problem;…
