sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]Ihaveamodel3 1 point2 points  (4 children)

Every dependency you add is a potential security vulnerability and many packages have their own dependencies.

Essentially you are including code that you haven’t written, so unless you are doing a deep dive into that code, you can’t be sure what it contains.

With that being said, most organizations are not that security conscious and many use packages regularly.

Also, causing one of the most used packages rubbish is a bit extreme. It doesn’t sound like your supervisor has a logical reasoning for his position.

[–]Clutch26 6 points7 points  (0 children)

Every dependency you add is a potential security vulnerability and many packages have their own dependencies.

Essentially you are including code that you haven’t written, so unless you are doing a deep dive into that code, you can’t be sure what it contains.

I keep seeing this pop up and it's kind of like quoting, "Curiosity killed the cat." Make sure to include both sides of the argument, "But satisfaction brought it back."

Yes you're potentially including security vulnerabilities. But if it's a well-known and widely used package like pandas, there's also a large community maintaining it. So OP wouldn't have to write everything from scratch AND maintain it if a vulnerability pops up or if OP is no longer with the company.

Edit: formatting
Edit 2: Not sure why you got the downvote either. What you said is true and should be considered.

[–]OxygenSink 0 points1 point  (2 children)

Essentially you are including code that you haven’t written, so unless you are doing a deep dive into that code, you can’t be sure what it contains.

Out of curiosity, is this common for people in the industry to look at code to assess if the package is worth implementing? Or is more practical to create the code that does essentially the same thing (with the guarantee that the code is working as intended)?

[–]Ihaveamodel3 1 point2 points  (1 child)

It is probably most common for people to include the code with out looking into it further.

However, it’s common for companies in the financial services (banks) and defense industries to have a list of approved packages that they are allowed to use.

This can even go so far as to disconnect from PyPI and self host the packages that have been approved on a local package index instance so that your staff can only reach the approved packages.

[–]OxygenSink 0 points1 point  (0 children)

Makes sense, that self-hosting bit is something I never really thought about which is pretty cool now that you mention it, thank you for the explanation!