[no-name-here]

Wouldn't just having devs pin/not upgrade packages accomplish about as much, have the added benefit that if a package is discovered malicious it would be removed from npm but if already vendored you’d still have the vulnerability on your vendored copy, and pinning versions seems like it would be more likely for devs to do than vendoring?

[kixxauth]

Yeah, pinning dependencies is very similar to vendoring or cloning them. By cloning, you get to know the code better and how it is structured, plus you cherry pick only the features you want.

But, like you said, you are at risk of introducing new vulnerabilities.

I'd just prefer making that bet on myself than someone I don't know

[cj]

Pinning the version also avoids the risk of accidentally introducing new vulnerabilities while reimplementing the package yourself.

[erikerikson]

Not to support the GPs choices (they are not mine) but pinned dependencies can get grumpy over time with endless LTS migrations.