NPM “foreach” module maintainer's email domain expired (mastodon.social) 10 points by bluehatbrit 4y ago ↗ HN
[–] conaclos 4y ago ↗ It is one of the reason why I have a strict policy regarding dependencies:1. Think twice before introducing a third-party dependency (including dev dependency).2. Favor trusted dependencies with a good dependency policy.3. Avoid dependencies with tens/hundreds of third-party (transitive) dependencies.4. Audit mid-trusted dependencies (including their transitive dependencies).5. Use an exact version for mid-trusted dependencies in order to avoid non-audited updates (=x.y.z).6. Use scoped packages for new projects in order to define trust boundaries.
1 comment
[ 3.7 ms ] story [ 15.5 ms ] thread1. Think twice before introducing a third-party dependency (including dev dependency).
2. Favor trusted dependencies with a good dependency policy.
3. Avoid dependencies with tens/hundreds of third-party (transitive) dependencies.
4. Audit mid-trusted dependencies (including their transitive dependencies).
5. Use an exact version for mid-trusted dependencies in order to avoid non-audited updates (=x.y.z).
6. Use scoped packages for new projects in order to define trust boundaries.