I thought a lot of people discourage the use of static linking or any form of local dependency bundling, because when there's a security update every app needs to be updated individually. But it seems that with the emergence of Bundler and NPM, people are trending more and more towards local bundling. What happened?
One possible contrarian view: global dependencies actually cause a lot of those security updates to be necessary. Exploits that target a given version of a given library may be easier to propagate if you know that almost every application run by every user depends on that library version.
