Golang

2434 readers

8 users here now

This is a community dedicated to the go programming language.

Useful Links:

Rules:

Posts must be relevant to Go
No NSFW content
No hate speech, bigotry, etc
Try to keep discussions on topic
No spam of tools/companies/advertisements
It’s OK to post your own stuff part of the time, but the primary use of the community should not be self-promotion.

founded 2 years ago

MODERATORS

Ategon@programming.dev

RandomDevOpsDude@programming.dev

austin@programming.dev

wget to Wipeout: Malicious Go Modules Fetch Destructive Payload (socket.dev)

submitted 3 days ago by cm0002@lemmy.world to c/golang@programming.dev

2 comments fedilink hide all child comments

top 2 comments

sorted by: hot top controversial new old

[–] sxan@midwest.social 2 points 3 days ago

I took a decidedly minimalist dependency stance a while ago, and I'm glad about it. It's hard; you also don't want to be writing bespoke libraries for everything, but what really got me on this kick was viper and cobra. Using cobra adds 32,400 LOC to your project. To parse flags. 19,600 of those are in cobra's dependencies, which - of course, you also have to vet.

Especially when I'm writing libraries myself, I go to fairly extreme lengths to have an empty go.mod; at least my users only have to audit my project, and not some branching nest of dependencies.

[–] starshipwinepineapple@programming.dev 1 points 3 days ago

Interesting that it sounds like it is immediately overwriting the whole primary drive rather than trying to exfiltrate any data (or anything else) first