I promise I'm not dead. Just been quiet and focused on, well, a lot of things lately. Changed my day job recently, and I'm working on a Nostr relay. Among other things.

The recent spate of supply-chain attacks in the JS ecosystem (and others, but NPM is by far the worst offender) has me reconsidering my approach to 3rd-party dependencies. First of all, less is good. I probably don't always need that whole library, I just need a piece of it. Can I copy it into my project myself? Can I write what I need myself? Second, auditing dependencies is important. Do I expect myself to read every line of code in every package I import? No. But I do expect myself to give each dependency, and especially each one that ships with the production build, more careful thought.