> Codebases that lag behind on updates can become vulnerable to security exploits
This is an excellent point, but I think it's always worth considering that the tradeoff isn't between third-party security vulnerabilities and no vulnerabilities; it's between third-party security vulnerabilities and first-party security vulnerabilities.
It's up to your team to decide if you have the capabilities in-house to deal with those. If not, trusting to the wisdom of crowds may often be a better solution. (At the very least, if you're rolling your own crypto solution and not publishing it, take a strong look at why you're doing that and be very sure you aren't falling victim to smartest-kids-in-the-room syndrome).
Very much agree. Though there’s a line between implementing cryptographic algorithms yourself vs. implementing cookie based authentication.
Cryptography is something I’d leave to standard libraries. However, when it comes to authentication it might not be that hard to implement some cookie or token logic as long as the actual cryptography is handled by some well tested library.
This is an excellent point, but I think it's always worth considering that the tradeoff isn't between third-party security vulnerabilities and no vulnerabilities; it's between third-party security vulnerabilities and first-party security vulnerabilities.
It's up to your team to decide if you have the capabilities in-house to deal with those. If not, trusting to the wisdom of crowds may often be a better solution. (At the very least, if you're rolling your own crypto solution and not publishing it, take a strong look at why you're doing that and be very sure you aren't falling victim to smartest-kids-in-the-room syndrome).