alt Hacker News(I mostly agree with you, but) devils advocate: most people already do that with dependencies, so why not move the line even further up?
Replies
There's a reputational filtering that happens when using dependencies. Stars, downloads, last release, who the developer is, etc.
Yeah we get supply chain attacks (like the axios thing today) with dependencies, but on the whole I think this is much safer than YOLO git-push-force-origin-main-ing some vibe-coded trash that nobody has ever run before.
I also think this isn't really true for the FAANGs, who ostensibly vendor and heavily review many of their dependencies because of the potential impacts they face from them being wrong. For us small potatoes I think "reviewing the code in your repository" is a common sense quality check.
Because you trust that your dependencies are not vibe coded and have been reviewed by humans.