Oh No! My dependency has a vulnerability

Quick reminder in context of Log4j RCA that caused quite a lot of havoc in Java ecosystem:

You are responsible for dependencies you are introducing to your project.

Recursively. So if you add dependency X that depends on Y you are responsible for both packages.

Unless you have contract with the vendor, it’s your job to audit the dependency and make sure it’s safe to use. It’s your job to respond to vulnerabilities. It’s your (or your managers) fault if RCA like this affects your software..

But Teddy, you can’t expect me to audit 170kLOC of logging library?

Yes I do. If you can’t - use printf instead. Event better - convince your company to hire someone, to work on the dependency full-time.

One thing I expect you to NOT do is to whine and harass people who maintain piece of FOSS software.

Log4j maintainers have been working sleeplessly on mitigation measures; fixes, docs, CVE, replies to inquiries, etc. Yet nothing is stopping people to bash us, for work we aren't paid for, for a feature we all dislike yet needed to keep due to backward compatibility concerns. https://t.co/W2u6AcBUM8

— Volkan Yazıcı (@yazicivo) December 10, 2021

So if you are one of people @yazicivo talks about - do the right thing and go fuck yourself off a cliff.