1. Think twice before introducing a third-party dependency (including dev dependency).
2. Favor trusted dependencies with a good dependency policy.
3. Avoid dependencies with tens/hundreds of third-party (transitive) dependencies.
4. Audit mid-trusted dependencies (including their transitive dependencies).
5. Use an exact version for mid-trusted dependencies in order to avoid non-audited updates (=x.y.z).
6. Use scoped packages for new projects in order to define trust boundaries.
1. Think twice before introducing a third-party dependency (including dev dependency).
2. Favor trusted dependencies with a good dependency policy.
3. Avoid dependencies with tens/hundreds of third-party (transitive) dependencies.
4. Audit mid-trusted dependencies (including their transitive dependencies).
5. Use an exact version for mid-trusted dependencies in order to avoid non-audited updates (=x.y.z).
6. Use scoped packages for new projects in order to define trust boundaries.