@ted Bundled dependencies can only work if there's an automated process to update them in the bundle. In my opinion, which on this topic is not humble.
@liw I think that makes sense and is a best practice.
I would say the *minimum* for bundled dependencies is a sandbox though. Many times the security issues for a dep aren't in a way that is used by most applications, so a sandbox makes things drastically safer.
@ted A sandbox would make sense for most software, actually.
The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!