Apps that bundle dependencies will have those deps out-of-date. They need to be sandboxed if they're bundled. —

@ted Bundled dependencies can only work if there's an automated process to update them in the bundle. In my opinion, which on this topic is not humble.

@liw I think that makes sense and is a best practice.

I would say the *minimum* for bundled dependencies is a sandbox though. Many times the security issues for a dep aren't in a way that is used by most applications, so a sandbox makes things drastically safer.

@ted A sandbox would make sense for most software, actually.

Sign in to participate in the conversation

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!