[Problem] Security posture for dependencies HATES anything that is not monorepo #90
Description
Security enthusiasts demand that we maintain up to date dependencies even when there are no disclosed vulnerabilities. We would need to do some research into the argumentation here, but what it boils down to is that by using up-to-date dependencies, you are able to always evade disclosures. This does not mean you evade vulnerabilities, it means that you are less likely to run software that has disclosed vulnerabilities simply because no one has had time to disclose them yet. As you can tell, I'm not quite buying this.
Maintaining up to date dependencies is A LOT of work for each repository being maintained. What's worse, is that if renovate and dependabot are used, they actually give you alarm fatigue making it harder to see which dependencies are being requested to merge because of disclosed vulnerabilities.
There is just no time to review these pull requests.
Potential solutions
One way to manage dependencies better is to supposedly use a monorepo architecture. And this has benefits beyond security. Draupnir has quite a lot of packages that would be suited to monorepo, because they have a number of peer dependencies that need to be kept in synchronisation.
Another solution is to disable renovate/dependabot updates entirely for things that are not updates in response to disclosed vulnerabilities. Specifically outside of the main repository. This would allow us to only focus on those repositories when it matters. This isn't giving up, we already gave up because we're not doing that work. And we don't believe it is sustainable to do it.