Every dependency you add is a supply chain attack waiting to happen (benhoyt.com)

Ben Hoyt argues that adding third-party dependencies increases supply-chain risk, especially because automated tools like Dependabot update them without much review. He points to recent compromises (including issues affecting both runtime and dev dependencies) to show attackers can use updated packages—or even compromised development tools—to steal credentials or take over projects. He recommends minimizing dependencies and being cautious with automated updates.