How about: commit your dependency lockfiles, make sure they use content-addressing cryptographic checksums like Cargo.lock does.
This is also needed for both reproducible builds and SBOMs.
If you commit the actual source code you're making things worse, because it makes coordinated source code review efforts a lot harder. Also patch management with actual vendored source code is terrible.
This is also needed for both reproducible builds and SBOMs.
If you commit the actual source code you're making things worse, because it makes coordinated source code review efforts a lot harder. Also patch management with actual vendored source code is terrible.