Comment by EGreg
2 months ago
Exactly.
I always tried to keep the dependencies to a minimum.
Another thing you can do is lock versions to a year ago (this is what linux distros do) and wait for multiple audits of something, or lack of reports in the wild, before updating.
I saw one of those word-substition browser plugins a few years back that swapped "dependency" for "liability", and it was basically never wrong.
(Big fan of version pinning in basically every context, too)
I'm re-reading all these previous comments, replacing "dependency" for "liability" in my mind, and it's being quite fun to see how well everything still keeps meaning the same, but better