12642 shaares
316 private links
316 private links
Vendor the dependencies in the project directly. It will avoid to install the dependencies every time.
So just by not updating dependencies automatically, you turn every single package in an ecosystem into a fire-break for supply chain attacks.