|
|
|
|
|
|
by yardstick
2652 days ago
|
|
|
From a security perspective, minimising dependencies is preferred. I have to review at least monthly all our dependencies for published vulnerabilities and new versions. We don’t allow automatic upgrading of packages/dependencies due to the risk of malicious code making it in (see https://www.npmjs.com/advisories for examples). Yeah there are companies that will help manage your vulnerability process but it’s still a lot of overhead and only grows as the number of dependencies grows. There’s also the whole left-pad mess from a few years back which shows you always need local archived copies of any dependencies you use. |
|
|
That's a good idea, how do you do that?
> you always need local archived copies of any dependencies you use.
Are you committing your dependencies? Or using a package manager with caching?