Experienced Devs

4597 readers

1 users here now

A community for discussion amongst professional software developers.

Posts should be relevant to those well into their careers.

For those looking to break into the industry, are hustling for their first job, or have just started their career and are looking for advice, check out:

Logo base by Delapouite under CC BY 3.0 with modifications to add a gradient

founded 2 years ago

MODERATORS

[email protected]

Are Web Components better for Cybersecurity? (programming.dev)

submitted 4 days ago by [email protected] to c/[email protected]

1 comments fedilink hide all child comments

Not to poke at React or any of the other popular frameworks, I'm sure they're suitable for Cybersecurity projects. They surely go through things like reviews and audits.

I'm asking from the perspective that web components are native to the browser and thus reducing what I think is called supply chain attacks (like if "npm install" introduces something it shouldn't).

Maybe the frameworks don't matter and depends on the browser/os/device it's run on?

Context: I have a p2p messaging app created with ReactJS and a separate project for a UI framework based on Lit. Both these projects can be a whole separate discussion. I was wondering if there could be any advantages to refactoring (or starting from scratch) the messaging-app to be based on the webcomponent ui framework.

Same question on r/ExperiencedDevs with comments here. I have an answer there, but posting here in-case anything is being overlooked.

top 1 comments

sorted by: hot top controversial new old

[–] [email protected] 0 points 4 days ago

The actual question I'm reading from this is "are components that I build myself more secure than those provided by a third party library?"

You should correct me if that's not what your asking.

The short answer is "probably not." You can and will introduce bugs and vulnerabilities into your own software.

The main downsides of third party libraries are that they can have dependencies that you may not know about and vulnerabilities in third party libraries mean that a given vulnerability is just as widespread as a the library that it exists in.

Most "bad actors" are opportunists so a specific vulnerability being wide spread tends to work in their favor by increasing opportunities.

That said, I wouldn't waste your time rewriting functionality that already exists in other libraries unless you have a very compelling reason for it.