Y
Hacker News
new
|
ask
|
show
|
jobs
by
pabs3
56 days ago
Better to treat it as a dependency still, but audit each new commit/release as it comes in, and pin to the exact last commit id that you verified.
1 comments
deepsun
54 days ago
Yes, but no one audits new dependencies versions usually. Only Release Notes mostly.
link