Who checks dependencies other than the author of the library ? The only time I check them is when they break and that's not a good thing.

I see this argument as “it’s not my job” type of argument.

Most of the time you just install and use. If I had infinite time, I’d do it because it’s fun but I don’t so I don’t.

If there’s a trust chain and I know for sure certain libraries are reviewed I’d have a peace of mind. Alas, that’s not the case and we spend our days in back burner paranoia or blissful ignorance.

well a lot of people do it. Specially if the code is part of a project going through some auditing, or certification.

This argument comes up super frequently. Yes, more people actually reading the source code is better for identifying security vulnerabilities, but that almost never how it’s either articulated or implied.

When most people make this argument the suggestion is that popular software must be more secure because somebody would have certainly identified and reported the vulnerability. That makes several assumptions not qualified by evidence. In other words it’s wishful thinking.

As a case in point when I reported my first V8 defect it was around the time of Node 4.4. Chrome had been out for several years at that point with many millions of users. The defect I found was that V8 could not perform recursion using only function name. WTF. The problem was missing test cases, not a lack of eye balls.

To adjust an old joke about economics:

“Two open source maintainers are walking along the street when one says:

Look! A repo exposing an API allowing unprivileged deletion of users!

The other replied: that vulnerability clearly cannot be real, as someone would have fixed it already.”