michaelwinser
commented
4 days ago This starts with admission control over the full dependency graph, not just those explicitly mentioned in a project's dependencies.
If the dependency inclusion is not declarative then static code analysis might be required to even detect the inclusion of the vulnerable code. The risk of copy-paste inclusion of vulnerabilities, especially from bad sample code is significant.
I think the answer to this will be mostly the same as (G). I'll wait until #1190 is merged before making a proposal.