Skip to content

Dependency Security #2374

Description

@slayernominee

I tried stylix out today and came to an issue? I'm somewhat concerned about. The flake introduces quite a lot of dependencies, some of these dependencies have quite little attention like:

Repo Stars Last Update
tomyun/base16-fish 37 5y ago
SenchoPens/fromYaml 3 2y ago

and that in itself is no problem at all, but it just means, if these dependencies end up for some reason compromised, and the flake lock is updated as a whole, these changes might go unnoticed and end up in the stylix project (not necessarily executed, but might be possible if the respective modules are used) which could be kinda disastrous.

So imo it should be an aim to reduce the dependencies by a lot, incorporating the respective code into stylix itself (obviously in accordance with their project licenses). As there seem to be anyway little updates to the 2 repos i mentioned as example this doesn't seem like a big problem to me.

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions