In enterprise environment you need to manically update to meet the security compliance SLAs because those dependencies are a source of non stop CVEs. It's mostly bunk CVEs but that's out of your control.
No, you only need to update when there is an actual CVE which is a real concern, which is fairly rare for development dependencies, for instance webpack had only two in it's 12-year history – with one being severe. Babel had practically zero (except 1 indirect critical traverse package CVE last year). Vite you're proposing had 7 total and 3 severe in 4 years. Think this through – non stop CVEs, really?
gloosx|1 year ago
morbicer|1 year ago
CVEs aside, core-js is a liability on itself. Sad personal story, sad that the world still thanklessly depends on it.