Dependency bundling

Posted Dec 19, 2021 14:28 UTC (Sun) by khim (subscriber, #9252)
In reply to: Dependency bundling by sionescu
Parent article: Lessons from Log4j

> If they get acquired by a large company, the biggest M&A risk is that they will have to do a major refactor or even rewrite in order to fix that mess.

Highly unlikely. More likely: they would be told to make sure CI/CD can run without internet access and that would be it.

The solution is to take all the bazillion dependencies and put them into one repo. Then never update.

You may guess how wonderfully this would improve security of the whole thing.