--- title: Supply Chain Security description: Dependency minimalism, vendoring, and build-process elimination tags: [security, dependencies, supply-chain] dependencies: [safety] --- # Supply Chain Security Every dependency is a trust decision. Every trust decision is an attack surface. ## Principles - Zero dependencies by default: justify every import. - Build It Yourself (BIY): implement straightforward features directly. - Depend carefully when needed: prefer small, focused, auditable libraries. - Zero implicit execution: no install hooks or hidden build scripts. - Zero drift: pin exact versions and verify integrity. ## Vendoring pattern Copy dependency sources into the repository. Do not fetch code at runtime. Example ``` /js/vendor/ tweetnacl-XX.min.js dompurify-YY.min.js ... ``` ```html ``` No runtime CDN dependency and no transitive dependency tree at execution time. ## Why this matters Vendoring and minimal dependencies reduce exposure to: - install-time script execution - transitive dependency compromise - registry or CDN outages - unreviewed dependency upgrades ## Auditing vendored code ```sh sha256sum js/vendor/tweetnacl-XX.min.js diff js/vendor/dompurify-YY.min.js js/vendor/dompurify-ZZ.min.js ``` Track expected hashes and review every version update diff before rollout. ## Acceptable exceptions Some domains are risky to reimplement quickly. Rely on established libraries for: - cryptography - security controls - HTML sanitization Prefer libraries with few or no transitive dependencies and clear maintenance history. ## For agents 1. Start from zero dependencies and add only when needed 2. Vendor imported browser/runtime code where operationally possible 3. Pin exact versions and verify hashes 4. Keep build tooling minimal and deterministic 5. Treat `node_modules` sprawl as a risk signal 6. Don't roll your own crypto or HTML sanitazion. Rely on established libraries.