Every dependency you add is a supply chain attack waiting to happen
Summary
This article argues that every dependency you add or update can become a supply-chain risk, citing real-world compromises and the pitfalls of automatic updates. It advocates turning off automatic dependency updates, locking dependencies, and reviewing changes manually to improve security for software projects.