The cost of code we didn't write

Today's essay is about the bill that's coming due for trusting code we didn't write.

Before we get into it, a quick note. We're starting something new called Builder Mode. At Peerlist, we see 200+ launches and thousands of builder insights every week. Builder Mode is our attempt to write back. One honest essay every couple of weeks on the things that matter to people who ship. Let's jump in.

The trust tax

I counted the dependencies in one of my projects. 347 packages in dependency tree. I wrote zero of them. I have audited zero of them. Neither have you, for whatever you're working on.

This used to feel fine.

Every npm install is a small act of faith. You're extending trust to the maintainer, their machine, every transitive dependency they pulled in, and everything else that can touch their release pipeline. We do this every day because the alternative is not shipping.

Two attacks in six weeks

Axios at the end of March was the kind we'd been bracing for. A maintainer got phished, two bad versions went out, the fixes wrote themselves.

TanStack a few days ago is scarier. Even with all the security posture possible, attackers got in anyway by hijacking their release pipeline. The malicious versions were published by TanStack's own CI, then self-propagated to Mistral AI, UiPath, OpenSearch, and dozens of others within hours. The Tanstack team posted a postmortem that is honest and worth reading.

The most uncomfortable part is that no checklist they ran would have caught it.

The new tax

While I was reading that postmortem, my editor was suggesting code. Claude wrote about a third of what I shipped this week. There's an MCP server in my local config from a GitHub repo I skimmed for thirty seconds. There are agents I let run commands in my terminal.

I trust all of it the same way I trust npm. Because the alternative is being slow.

The surface area is growing faster than our ability to audit it, probably faster than our ability to even want to. I'm not arguing we should stop. But the bill has gotten bigger and most of us aren't looking.

What a small team can actually do

You can't out-engineer this, but four basic checks help.

1. Delay new versions by 72 hours. Set npm config min-release-age to 7 days in your .npmrc. This can keep things in control and give you chance to know about attacks.

2. Skip lifecycle scripts in CI. Use npm ci with --ignore-scripts in your Dockerfile. This is where most payloads actually run. Almost no package legitimately needs install scripts in your build environment.

3. Know your rotation list. If you woke up tomorrow to news that a package you depend on was compromised, which secrets do you rotate first? Have the list before you need it.

4. For AI side. Read more of what the agent writes. Pause before installing the MCP server. Be slightly suspicious of things that work the first time.

For the deeper checklist, the LocalCan team published a great article the day after TanStack. Worth a read.

The part nobody pays for

The Axios maintainer got phished. The TanStack team is a handful of people carrying a piece of the ecosystem on their backs. Both wrote honest postmortems within a day, for free, while the rest of us read them on lunch break.

We don't pay for any of it. We pay the trust tax in risk. They pay it in everything else.

Next time someone ships something that quietly saves your week, tell them. It's the smallest thing, and right now it's most of what we have.

Thanks a lot for reading this till the end. If you have some thoughts or feedback, reach out to me. I would love to discuss.

Thanks for reading till the end. If you have thoughts or pushback, rea Akash article published Karti Haich out. I'd love to talk. This was the first issue of Builder Mode, a new series from Peerlist. An honest essay every couple of weeks for people who ship. Delivered by AutoSend.