RT @kiraemclean
Ask yourself before including new dependencies:
- can you really not do this in a few lines of code yourself?
- do they regularly scan for known vulnerabilities?
- do they accept outside PRs to bump deps?
- how many downstream deps does it have? what kind of shape are they in?