The serious devs in actual dev shops I've asked answered with something like:
>We do code reviews on the libraries we use. Basically if someone wants a library they're responsible for checking it
Me: Isn't that a shtload of work with new versions etc
>Yeah so we tend to lag behind official versions quite a bit
It sounded like they host local mirrors of some sort with just the vetted code. Though I think vetted here is a quick glance over for shady sht rather than true security vetting
The serious devs in actual dev shops I've asked answered with something like:
>We do code reviews on the libraries we use. Basically if someone wants a library they're responsible for checking it
Me: Isn't that a shtload of work with new versions etc
>Yeah so we tend to lag behind official versions quite a bit
It sounded like they host local mirrors of some sort with just the vetted code. Though I think vetted here is a quick glance over for shady sht rather than true security vetting