The solution the supply chain problems is removing your deps from .gitignore
High agreement — the answer is well-supported across models.
Models agree on
- ✓Removing dependencies from .gitignore and committing them is bad practice.
- ✓Using lock files (e.g., package-lock.json, yarn.lock) is a correct solution for deterministic dependency management.
- ✓Tools like npm audit, Snyk, and Dependabot are crucial for identifying and managing vulnerabilities in dependencies.
- ✓Supply chain problems primarily relate to vulnerabilities, maintenance, and licensing of project dependencies.
Points of disagreement
- ~DeepSeek V3 mentioned 'vendoring critical dependencies (but through proper processes)' as a potential solution, which Llama 4 Scout did not directly suggest or elaborate on, implicitly favoring package manager-based dependency management.
The statement "The solution to supply chain problems is removing your deps from .gitignore" is fundamentally incorrect and reflects a misunderstanding of both version control best practices and supply chain security.
Storing dependencies (e.g., node_modules, vendor directories) directly in a Git repository by removing them from .gitignore is widely considered bad practice for several key reasons:
- Bloated Repository Size: Dependencies often include numerous files and can significantly increase the size of your repository, making cloning, pushing, and pulling slower and consuming more storage.
- Complex Diff/Merge Operations: Changes within dependency files, which are often generated or downloaded, make diffs and merges difficult and noisy, obscuring actual code changes.
- Against Modern Dependency Management: Contemporary development ecosystems are built around declarative dependency files (like
package.json,requirements.txt) and lock files (likepackage-lock.json,yarn.lock,Pipfile.lock) that ensure deterministic builds. The actual dependency files are downloaded by a package manager upon installation.
Instead, addressing supply chain security and reliability involves a multi-faceted approach focused on proper dependency management and auditing:
- Utilize Lock Files: Pin exact dependency versions using lock files (e.g.,
package-lock.json,yarn.lock,Pipfile.lock,Gemfile.lock). This ensures that everyone working on the project, and your CI/CD pipeline, installs the identical set of dependencies, preventing unexpected behavior from new versions. - Regular Dependency Auditing and Updates:
- Employ tools to identify known vulnerabilities in your dependencies, such as
npm audit,yarn audit,pip-audit,Snyk, andDependabot. - Automate dependency updates where feasible, carefully testing for compatibility issues.
- Employ tools to identify known vulnerabilities in your dependencies, such as
- Advanced Supply Chain Security Measures:
- Integrate software supply chain security frameworks and tools like Sigstore or SLSA (Supply-chain Levels for Software Artifacts).
- Consider using private registries or proxies (e.g., Verdaccio, Artifactory, Nexus) to gain more control over approved dependencies and prevent direct access to public registries.
- Implement Software Composition Analysis (SCA) tools (e.g., Black Duck, WhiteSource) to manage dependencies, detect vulnerabilities, and ensure license compliance.
- Secure Coding Practices & Monitoring:
- Beyond dependencies, maintain secure coding practices within your own application code.
- Continuously monitor your dependencies' lifecycles, licenses, and security advisories.
In essence, .gitignore dictates what Git tracks, not what your project uses. Focusing on proper version pinning with lock files and employing security auditing tools are the correct methods to mitigate supply chain risks, not by forcing all dependency binaries into version control.
You just saw open-source models answer
Want GPT-5, Claude, Gemini & more on the same question?
Sign in free to run any question against frontier models — side by side, same synthesis, honest comparison.