first it allows to build your app much more faster in your CI
cache as you said
then it ensures you have the exact version of your dependencies
repeatable builds and exact versioning let you do that
then there is no way one of them get injected by some malware dependency
what if it's already in there? It's not like you're going to audit the code of every single dependency (and their dependencies) you add but you can still use the cache for that
finally you are not dependent of the network (or of the remote dependency repositories) during the build
proxy or cache as you said
None of these arguments satisfied me, not that they're not true, but I think each of them can be solved in a cleaner way, for example by using a cache, a custom repository with audited dependencies, and by solving directly the network issues.
Yep :-)
It's not a bad thing to do, it's just not really needed and you end up putting your dependencies (and their dependencies) as a diff in the git log everytime you upgrade anything
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
cache as you said
repeatable builds and exact versioning let you do that
what if it's already in there? It's not like you're going to audit the code of every single dependency (and their dependencies) you add but you can still use the cache for that
proxy or cache as you said
Yep :-)
It's not a bad thing to do, it's just not really needed and you end up putting your dependencies (and their dependencies) as a diff in the git log everytime you upgrade anything