Overview

• Obsidian says it keeps a very small dependency set by re‑implementing utilities, forking medium modules, and vendoring version‑locked copies of large libraries such as pdf.js, Mermaid, and MathJax.
• The team enforces exact version pins with a committed lockfile to produce deterministic installs and blocks postinstall scripts to stop arbitrary code during setup.
• Dependency upgrades are infrequent and undergo line‑by‑line changelog review, sub‑dependency checks, diffing of risky changes, and cross‑platform automated and manual testing.
• A built‑in delay between upgrading and releasing creates a community detection window, and only core packages like Electron, CodeMirror, and moment.js ship in the app.
• A DEV Community article promotes these practices as a reproducible playbook—audits, static analysis, and monitoring with tools like Snyk or Dependabot—and attributes a 300% year‑over‑year rise in supply‑chain attacks to CISA.