Dependency Tracking Is Hard
riffraff
14 points
4 comments
March 10, 2026
Related Discussions
Found 5 related stories in 50.3ms across 3,471 title embeddings via pgvector HNSW
- Issue Tracking Is Dead cristinacordova · 28 pts · March 24, 2026 · 48% similar
- How many trackers are there? twapi · 11 pts · April 01, 2026 · 42% similar
- Ask HN: What dev tools do you rely on that nobody talks about? crcsmnky · 30 pts · April 01, 2026 · 42% similar
- I'm Too Lazy to Check Datadog Every Morning, So I Made AI Do It piotrgrudzien · 22 pts · March 15, 2026 · 42% similar
- Package Managers Need to Cool Down abdelhousni · 15 pts · March 25, 2026 · 40% similar
Discussion Highlights (4 comments)
direwolf20
Dependency tracking for security is like any other security work: the purpose is to create the perception of security, not actual security. You can sell the perception of security. You can't sell actual security. That's why every other corporation has a WAF now that doesn't block attacks but does block legitimate traffic, and how Cloudflare managed to create the world's biggest MITM without a single crime.
nacozarina
it’s cache-invalidation in different clothes, it will always be a pain in the tucus
dhruv3006
GitHub lists one dependent repo for curl and that too is a mistake.
rurban
It not hard since opus or gpt-5.4 anymore. I check most of my Makefiles with them to update wrong deps.