|
|
|
|
|
|
by Normal_gaussian
307 days ago
|
|
|
For me - it doesn't support secure and reliable dependency vendoring. The best way to do this atm. is using (and configuring) yarn for zero-installs. This keeps dependencies inside the codebase so that:
* Issues can be easily traced to the code that actually ran - development and deployment are the same.
* Deployment doesn't depend on package repositories.
* Deployment is secure from many kinds of attacks.
* It is possible to transparently patch packages.
* Development is only internet dependent when adding a new package.
* and the best ease-of-use - no reinstall when changing branches. |
|
|