DEV Community

Discussion on: He Commits Vendor! 😱

Collapse
 
rhymes profile image
rhymes • Edited
  • first it allows to build your app much more faster in your CI

cache as you said

  • then it ensures you have the exact version of your dependencies

repeatable builds and exact versioning let you do that

  • then there is no way one of them get injected by some malware dependency

what if it's already in there? It's not like you're going to audit the code of every single dependency (and their dependencies) you add but you can still use the cache for that

  • finally you are not dependent of the network (or of the remote dependency repositories) during the build

proxy or cache as you said

None of these arguments satisfied me, not that they're not true, but I think each of them can be solved in a cleaner way, for example by using a cache, a custom repository with audited dependencies, and by solving directly the network issues.

Yep :-)

It's not a bad thing to do, it's just not really needed and you end up putting your dependencies (and their dependencies) as a diff in the git log everytime you upgrade anything