|
|
|
|
|
|
by svnpenn
1542 days ago
|
|
|
> transitive dependencies are automatically updated to pick up security fixes Does Node do this? That seems like an awful idea. People should be manually updating dependencies, never automatically. Stuff like dependabot need to die. |
|
|
Dependabot is by far the most convenient way that I’ve seen to actually check that your dependency updates are not overtly malicious.
It's not some tool that just removes your lockfiles behind your back, as you seem to be implying.