Right.

Not to mention the (apparently not obvious?) option of detaching review- and release versions. We still look at the diff of latest versions of dependencies before they reach our codebase. That seems like the most responsible.

Besides, why stop there? Everyone installing packaged builds from NPM are already freeriding from those installing sources straight from Github releases. smh