I just noticed that many of the dev dependencies are pinned to latest - that's a practice that we've stopped using in BBC because it provides no protection against supply chain attacks, i.e. where someone maliciously puts code you don't want to run into a dependency, which gets pulled on an install, and run without you realising it.
Instead, we prefer to pin dependencies to exact versions (== not ^ preferably) and use a bot like Dependabot to propose version updates, and in the config specify a "cooldown" period of 7 days so that any updates to dependencies have had a chance to be peer reviewed and any vulnerabilities reported.
I just noticed that many of the dev dependencies are pinned to
latest- that's a practice that we've stopped using in BBC because it provides no protection against supply chain attacks, i.e. where someone maliciously puts code you don't want to run into a dependency, which gets pulled on an install, and run without you realising it.Instead, we prefer to pin dependencies to exact versions (
==not^preferably) and use a bot like Dependabot to propose version updates, and in the config specify a "cooldown" period of 7 days so that any updates to dependencies have had a chance to be peer reviewed and any vulnerabilities reported.