
Why we stopped vendoring our npm dependencies - anotherevan
http://blog.bithound.io/why-we-stopped-vendoring-our-npm-dependencies/
======
skybrian
So, Github's pull request handling didn't work out? I think the answer is to
not use pull requests. Github's handing of code reviews is barely adequate at
best. I understand that people need to accept changes from outsiders
sometimes, but for reviews between team members, maybe try Rietveld? (I
haven't tried it for vendoring, though.)

When reviewing vendor code checkins, you should be making sure they're
following the right procedures so that you have everything needed for the next
time around: updating documentation about which version was checked in, re-
applying any local patches if needed, documenting any new changes that are
different from upstream, making sure tests pass, etc. As for the code itself,
it's pretty much a rubber stamp; you have to trust that they unpacked the
version they said they did. (This is probably not something you want to trust
outsiders with.)

If you're not using code reviews and perhaps automation to keep things on
track, I can see how it would fall apart.

------
Gigablah
If npm speed or reliability is an issue you could also try a local registry
cache:

[https://github.com/rlidwka/sinopia](https://github.com/rlidwka/sinopia)

