Risks of Introducing Vulnerabilities in Go Libraries

Dependencies! We need them, but how do we use them effectively and safely? In this week’s episode Kris is joined by Ian and Johnny to discuss the polyfill.io supply chain attack, the history of dependency management and usage in Go, and the Go Proverb that “a little copying is better than a little dependency”. Of course, we wrap up the episode with some Unpopular Opinions!

Join the discussion

Changelog++ members save 5 minutes on this episode because they made the ads disappear. Join today!

Sponsors:

• Speakeasy – Production-ready, Enterprise-resilient, best-in-class SDKs crafted in minutes. Speakeasy takes care of the entire SDK workflow to save you significant time, delivering SDKs to your customers in minutes with just a few clicks! Create your first SDK for free!

Featuring:

• Kris Brandow – GitHub, X
• Johnny Boursiquot – Website, GitHub, X
• Ian Lopshire – GitHub, X

Show Notes:

• Polyfill.io supply chain attack hits 100,000+ websites — all you need to know
• How Go Mitigates Supply Chain Attacks
• Go Proverbs
• A little copying is better than a little dependency

Something missing or broken? PRs welcome!