I don’t understand why the package registries/managers haven’t yet provided options to compile-in dependancies of dependancies on release.
E.g. package A depends on B, if you install A, B is baked into it at the install step. That way, your active dependancies are only that which you purposely install, and some compromised package X dependancies down the chain won’t bite you when you do an automatic upgrade.
E.g. package A depends on B, if you install A, B is baked into it at the install step. That way, your active dependancies are only that which you purposely install, and some compromised package X dependancies down the chain won’t bite you when you do an automatic upgrade.