[get]

    what's the better way to do it
    copy & paste, or use a package manager 

When you add a dependency, how do you prevent the maintainer of the dependency or any sub- or sub-sub-...dependency to break your system in the future?

[nukeop]

You do the same thing you'd do if anything else in your toolchain or runtime environment changes - change relevant code so it works again. Browsers change all sorts of stuff all the time and break millions of websites in the process. Easier to use a package manager to propagate the required changes to all dependent projects than copying and pasting bits of code between many different files.

[get]

That sounds scary. That means the security of your system and data is at the mercy of all those maintainers?

I can't imagine any big companies work like that. Execute code on their servers which is under the control of 'somebody from the internet'.

[nukeop]

I can't imagine the opposite could ever happen, be it small companies or big ones - there is not a single company on Earth that has the time to audit every line of every piece of software they run. Especially if that software is proprietary and source isn't even available.

[get]

It's not about auditing every line of code. It's about a chain of trust.

I can not imagine that the security of Facebooks servers is at the mercy of a chain of anonymous coders.

[tpxl]

You do what any sane package manager does and pin the version. Having the option to declare a dependency version as >= 4.0.3 is a bug, not a feature.

[get]

So you first recursively read the code and the code of all the dependencies? And then pin it?

That sounds like a lot of work. Compared to copying/writing 30 lines.

How do you know the pinned version and it's dependencies do not get changed by the maintainers?

[tpxl]

I meant as a solution to not breaking in the future. If you have a system with pinned versions that work, it will always work, regardless of the changes in new versions.