Very interesting. Thanks for posting!

His section about circumventing CSPs was particularly interesting and relevant. CSPs were an impediment to him, and he avoided operating his scam on sites where a CSP was installed.

He was also able to go around CSP. I am not a frontend developer, but I really don't like how frontend developers seem to treat security and dependencies.

It really isn't normal to have 1000+ dependencies and it really isn't safe. Just saying "CSP will protect us" isn't good enough.

Yeah I agree except I don’t understand what the point of the tweet was. Whether you have 1000 deps or 10 deps, the problem is about security, not dep count. Who’s going to carefully audit 10 deps when they’re transitive? More than would audit 1000, but not many more. Having few deps does not appear to be the solution to dependency security.

> Who’s going to carefully audit 10 deps when they’re transitive?

I do. That is why I don't have many deps in general. Transitive or not. With only a handful of dependencies that are from trusted sources and that are audited by me I can be sure that they are safe.

With 1000+ dependencies that are from as many random sources you can not do the same.

Having 10 dependencies is drastically different from a security aspect then 1000+.