No, you guys aren’t the only ones. Not currently a defense contractor but was one in a previous life. Whenever I read articles and comments here on HN about dependency management I break out into sweats. It’s shocking how cavalier people are about pulling in third party dependencies, and this dismissive attitude about risk management: what exactly it is that the dependencies do, how suitable they really are for the project, what happens if they become not suitable (contingency plans), how auditable and traceable changes are, etc.

It’s just “npm install” and YOLO for a lot of developers!