| ▲ | password4321 4 hours ago | |
The point is to allow the automated scanners a chance to run. Every security company and their cousin wants to be the one to find the next big dependency malware. | ||
| ▲ | x0x0 an hour ago | parent [-] | |
The idea that a package can be updated and with a deploy at the right time could be live on your servers in prod 10 minutes later has always been crazy, and the last years have just reinforced that. People are encouraged by package managers to treat any bit of code someone tosses onto a package manager as equivalent in reliability to the core language and sdk. | ||