Do you review a dependency before adding it? Base it on what criteria? Discuss it with others, open a pull request or is it a total free-for-all where everything is allowed?
My question comes from a previous post and the need to adopt (or at least discuss) a strategy for how new dependencies are added securely and efficiently.
I found this AskJS reddit thread on the same subject, but not many responses unfortunately.
I am keen to hear of other experiences on this topic.
Context: Secure management of dependencies is one of the issues our package management tool bytesafe addresses. As such I would like to get a better understanding of the workflow and concerns of the community on this issue.