That is also part of my point. Every package is a dependency and a potential problem. You need to weight the benefits against the risks.
If for every package you need to check quality, license and lifetime then maybe the overhead is to big. If the organisation has actual oss policies, then it can get out of control. What if the package changes license?
There is a reason that in ESCROW agreement, all dependencies are included.
That is also part of my point. Every package is a dependency and a potential problem. You need to weight the benefits against the risks.
If for every package you need to check quality, license and lifetime then maybe the overhead is to big. If the organisation has actual oss policies, then it can get out of control. What if the package changes license?
There is a reason that in ESCROW agreement, all dependencies are included.
Agreed. This is also why many companies have started using solutions like Artifactory.