12461 shaares
300 private links
300 private links
Vendor the dependencies in the project directly. It will avoid to install the dependencies every time.
So just by not updating dependencies automatically, you turn every single package in an ecosystem into a fire-break for supply chain attacks.
