[Johnny555]

Does that really scale well? Thanks to cascading dependencies, even a medium sized project can import hundreds of dependencies. Can a developer really review them all to figure out if they are safe and that there's not security fix that was fixed in a newer version of the package?

[jpollock]

Yes, that is what is required. Every dependency needs an internal owner and reviewer. Every change needs to be reviewed and brought into the internal repository.

If no one is willing to stand up and say "yes this is safe and of acceptable quality", why use it?

It's a software engineering version of the professional engineering stamp.

[edoceo]

I love the sibling response from @jp...

Also, IME we don't deep dive everything (should we?)

For most stuff we make sure the latest is not-shit and passed test cases. We do have ceremony around version bumps.