Do we rely too much on third party libraries from NuGet?
Are we exposing our clients to risks here by taking on all these dependencies?
NuGet is both a blessing and a curse. It’s so easy to use but us devs just pull down dependencies without thinking about it and how it means we’ve created a reliance on libs that are sometimes only maintained by one person, who can do what they like with it. Obviously this is very relevant in light of recent events with #moq.
I get the “we shouldn’t reinvent the wheel” thing but sometimes we don’t need a whole wheel, we just need a hub, but yet we’ll still happily download some library even though we only need 5% of its functionality.
We use Mend (formerly WhiteSource) to scan packages for vulnerabilities on demand and in our pipelines and sometimes it can seem like a full time job to keep everything up to date.
Personally I always try to rely on as much of the ‘out of the box’ functionality as possible. What do you think?