You’ve likely seen Kane Cheshire’s post this week talking about his experiments with Process and a Swift package manifest file. If not, read that before continuing here.

It’s not surprising to see that people were generally quite shocked to find out this is possible, but I think that highlights just how little we think about the dependencies we include in our apps. Is it shocking that package authors can launch arbitrary processes when we run swift package? If that concerns you, you’re really not going to like what third-party code can do with your user’s data when you build them into your app and ship it to the store.

Does your app request permission to access location data? Photos? Contacts? That’s all available to third-party libraries you include. What do you store in the keychain? It’s all open to a library. 😅

I have strong feelings about choosing high-quality dependencies. So much so that the “mission statement” of the Swift Package Index is to “help you make better decisions when choosing dependencies”. Some of that can be automated, which is where the site can help. But you also need to understand (on some level) what the packages that you’re importing are doing.

Dave Verwer



Business and Marketing


Senior iOS Engineer @ DuckDuckGo – Rather than rely on interviews, we base our hiring decisions on demonstrable work performance. We achieve that through asking our candidates to complete paid projects, which largely resemble the type of challenges they would be solving at DuckDuckGo every day. – Remote (anywhere)

And finally...