DEV Community

Discussion on: Update dependencies safely - with a delay on newly published versions

Collapse
 
sumstrm profile image
Andreas Sommarström

The colors.js/faker.js incident with the maintainer intentionally sabotaging his own packages adds to the reasons why a little delay to protect your automated systems may be a good idea. By the time the package would have been allowed in your supply chain the problem is since long identified and handled by the community.