• AA5B@lemmy.world
    link
    fedilink
    arrow-up
    7
    ·
    edit-2
    2 个月前

    We have a scanner that does that on every build.

    It blocks builds for dependencies with

    • licenses not acceptable to Legal
    • serious or critical vulnerabilities.
    • political messages, even if you agree with them
    • we may also add a criteria to block non-release dependencies.

    As a developer, you’re free to use anything that works

    I have yet to figure out how my company views contributing back to open source. I don’t know of anyone actively doing that, but it turns out we host a few originals of open source. I’ve been trying to improve development processes, get tools and dependencies up to date …… but then I ran into things where it’s a bigger change because of the downstream opensource dependencies and because it’s not really owned by the company