You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Strongly opposed for anything but very early experimentation, too messy.
"Git submodules"
Has issues, but in spite of that prefer over checking in vendor packages.
"package manager"
For cases where official npm packages exist, I consider this a very good idea.
For cases where official npm packages do not exist, this is less ideal, but we could consider maintaining our own unofficial packages, referenced by Git URL.
I'm reluctant about the notion of pulling in non-npm package management systems. Too many package managers is like too many cooks.
"3rd party CDN"
I consider this good for things loaded by the browser, conditional on the following all being true:
We use integrity checks (most importantly)
The URL is versioned
The URL is official for the library in question (exceptions could be made if we have reason to be sure the URL won't get changed/removed)
The thought also comes to mind that, longer term, for any of the above cases except official npm packages, where npm already handles this, we ought to plan to have a way to be informed if such a dependency has known security issues an update would fix. Maybe by some sort of CVE checking running automatically.
We need a way and a policy for dealing with third party vendor files such as ckeditor for rich text editing.
Discussed options to date:
The text was updated successfully, but these errors were encountered: