I work on a Symfony 2 codebase.
We use a number of third-party packages (most are in the Symfony Standard Edition).
We use composer for dependencies.
We current have all of our third-party code committed in our repository (after changing .gitignore files) to ensure stability.
According to Proper Programming Practices™, we are not supposed to have any third-party packages in our repo. We are supposed to pull them down and include them at build time.
How are we to do proper QA and debugging when at any given time our dependencies could push an update that breaks functionality?
1
I don’t know who told you to pull them at build time, but that person is, perhaps, not in your industry. Pulling at build time means every build is susceptible to upstream changes breaking things in your code. That’s BAD.
You need to be keeping a close eye on those upstream repos and pull them frequently when they change (you don’t want to get too far behind), but grabbing latest every build? No thank you.
I would recommend doing exactly what you are doing, with the addition that it needs to be someone’s job to watch the packages you use and pull changes in as soon as feasible.
5