Actually, the most secure path is to reduce your dependencies as much as possible and isolate them as much as you can. That directly contradicts most Ruby projects I’ve seen, though, which tend to have Gemfiles full of dozens or even hundreds of dependencies.
Yep, although Ruby is the wrong language for that approach, Go is great for low/no dependency projects.
Why is Ruby the wrong language for that approach, but Go is not?
In Go, the stdlib contains more, and what it contains is more correct/performant.
This makes going ‘without dependencies other than the stdlib’ much easier in Go than in Ruby.
We had “not having any dependencies at all” as our Strategy 4, but it got removed in the editing process. ?
Should be strategy 1: the simplest solution possible for your problem. That often leads to less dependencies or at least less code in them than what’s common. Another thing to look at is how easy it is to do automated analysis or test generation on a code base. Well-structured ones let you knock out quite a few problems that way with little effort.