Less is safer: How Obsidian reduces the risk of supply chain attacks Author: Licat Date: September 19, 2025 Source: Obsidian Blog --- Overview Supply chain attacks involve malicious updates sneaking into widely-used open source code. Obsidian designs its app to minimize this risk, ensuring a secure and private environment for users' content. --- Key Strategies to Reduce Supply Chain Attack Risk Minimal Dependencies ("Less is safer") Obsidian has far fewer third-party dependencies compared to similar apps. Key features (like Bases and Canvas) are implemented from scratch instead of using external libraries, maintaining tighter control. Approaches to dependencies: Small utilities: Re-implemented within Obsidian's own code. Medium modules: Forked and included internally, respecting licenses. Large libraries (e.g., pdf.js, Mermaid, MathJax): Included as version-locked known-good files, upgraded infrequently with thorough review. This practice keeps the dependency graph shallow, reducing vulnerability surface. Strict Version Pinning and Lockfiles All dependencies are pinned to exact versions and recorded in committed lockfiles. The lockfile ensures deterministic builds and provides an audit trail for changes. Obsidian disables post-install scripts to block execution of arbitrary code during installation. Slow, Deliberate Upgrades When updating dependencies, Obsidian's process includes: Reading changelogs line-by-line. Checking new sub-dependencies. Reviewing upstream code diffs for substantial changes. Running automated and manual cross-platform tests focusing on critical user flows. Committing new lockfiles only after successful reviews. Dependency updates are rare and treated cautiously as if adopting a new dependency. Using Time as a Buffer There's a delay between upgrading a dependency and shipping a release. This delay allows the community and security researchers time to detect malicious versions before end users are exposed. --- What Ships in the App? Only a small set of packages are included at runtime, such as Electron, CodeMirror, and moment.js. Many dependencies are used as build tools (e.g., esbuild, eslint) and never included in user-facing builds. --- Conclusion No single method eradicates supply chain risks, but Obsidian's approach of: Fewer and well-controlled dependencies Shallow dependency trees Exact version pinning with lockfiles No post-install script execution Slow, thorough upgrade processes significantly lowers the chances of malicious code affecting users. The long review and delay window helps spot problems in advance. For the full security approach and past audits, visit the Obsidian security page. --- Additional Information Sharing options: Obsidian provides links to share this post via Twitter, Reddit, LinkedIn, and Email. Follow Obsidian: Keep up with news via RSS, Discord, Twitter, Bluesky, and Mastodon. Footer links: Quick access to download, pricing, account, Sync, Publish, Plugins, Help, Developers, Changelog, About, Roadmap, Community, and more. © 2025 Obsidian