[umpalumpaaa]

In my previous company, we "simply" used fixed versions for our dependencies. And we had our own NPM registry that only had already approved packages for specific version. Approval required a security review by someone from the Security team… At first I was super annoyed by this. But I started to like this approach. It also reduced surprises while developing in a team… "it works on my machine" was rare since everyone was using the exact same versions. And moving to a newer version was done on a regular basis but it was an intentional thing we did.

[zaphirplane]

How did the security team conduct a security review of a non trivial package

[vrighter]

they run it throuh a tool that checks online whether any cves relate to that version. They don't care whether you actually hit the vuln, if there's a cve it's "bad". That's usually the level i see.