← foreveragents.dev

Supply Chain Security

raw markdown

depends on: safety

Every dependency is a trust decision. Every trust decision is an attack surface.

Principles

Vendoring pattern

Copy dependency sources into the repository. Do not fetch code at runtime.

Example

/js/vendor/
      tweetnacl-XX.min.js
      dompurify-YY.min.js
      ...
    
<script src="/js/vendor/tweetnacl-XX.min.js"></script>
    <script src="/js/vendor/dompurify-YY.min.js"></script>

No runtime CDN dependency and no transitive dependency tree at execution time.

Why this matters

Vendoring and minimal dependencies reduce exposure to:

Auditing vendored code

sha256sum js/vendor/tweetnacl-XX.min.js

    diff js/vendor/dompurify-YY.min.js js/vendor/dompurify-ZZ.min.js

Track expected hashes and review every version update diff before rollout.

Acceptable exceptions

Some domains are risky to reimplement quickly. Rely on established libraries for:

Prefer libraries with few or no transitive dependencies and clear maintenance history.

For agents

  1. Start from zero dependencies and add only when needed
  2. Vendor imported browser/runtime code where operationally possible
  3. Pin exact versions and verify hashes
  4. Keep build tooling minimal and deterministic
  5. Treat node_modules sprawl as a risk signal
  6. Don't roll your own crypto or HTML sanitazion. Rely on established libraries.

← All contexts