[kixxauth]

Vendor your dependencies, clone or port them where needed, and freeze them. Most good packages these days do not have a deep dependency tree, and we should stop using the ones that do.

I spent a week with claude and codex re-implementing several packages which had dependency trees deeper than I would like.

Most of these packages are trivial to clone.

"But now you're not getting the upstream fixes" they will say.

"So what?" I reply

[no-name-here]

Wouldn't just having devs pin/not upgrade packages accomplish about as much, have the added benefit that if a package is discovered malicious it would be removed from npm but if already vendored you’d still have the vulnerability on your vendored copy, and pinning versions seems like it would be more likely for devs to do than vendoring?

[kixxauth]

Yeah, pinning dependencies is very similar to vendoring or cloning them. By cloning, you get to know the code better and how it is structured, plus you cherry pick only the features you want.

But, like you said, you are at risk of introducing new vulnerabilities.

I'd just prefer making that bet on myself than someone I don't know

[cj]

Pinning the version also avoids the risk of accidentally introducing new vulnerabilities while reimplementing the package yourself.

[erikerikson]

Not to support the GPs choices (they are not mine) but pinned dependencies can get grumpy over time with endless LTS migrations.