For me, it’s not about reaching zero dependencies. But having dependencies that we cautiously agreed upon.
The following section about SBOMs covers what I’m about to say, but I want to add to it. Most (all?) major ecosystems include lockfiles that let you control exact dependency versions and look at them. Always be explicit when updating the lockfile.
I also want to add that Nix gives you the ability to do this at the tooling level. While I’m not going to say everyone should go install Nix, do seriously consider that or devcontainers or some other kind of solution to ensure that you don’t get hit by tools you rely on becoming compromised suddenly (PSA: if you use AUR, seriously read that thread). As long as you can pin a specific version of each tool you use, whether by creating a shared image, by pinning a nixpkgs commit, or whatever, you shouldn’t have anything suddenly change on you.
The following section about SBOMs covers what I’m about to say, but I want to add to it. Most (all?) major ecosystems include lockfiles that let you control exact dependency versions and look at them. Always be explicit when updating the lockfile.
I also want to add that Nix gives you the ability to do this at the tooling level. While I’m not going to say everyone should go install Nix, do seriously consider that or devcontainers or some other kind of solution to ensure that you don’t get hit by tools you rely on becoming compromised suddenly (PSA: if you use AUR, seriously read that thread). As long as you can pin a specific version of each tool you use, whether by creating a shared image, by pinning a nixpkgs commit, or whatever, you shouldn’t have anything suddenly change on you.