[nicoburns]

IMO the solution is auditing. We should be auditing every single version of every single dependency before we use it. Not necessarily personally, but we could have a review system like Ebay/Uber/AirBnB and require N trusted reviews.

[ryandrake]

This is the way. But people read it, nod their heads, and then go back to yolo'ing dependencies into their project without reading them. Culture change is needed.

[nicoburns]

> Culture change is needed.

Yes, but IMO a tooling change is needed first. There just isn't good infrastructure fir doing this.