Also "using" a third-party library hopefully results in finding bugs, fixing them, and submitting a pull request to the project.

When did using git-based package managers become the norm?

> it wasn't uncommon to track/update dependencies manually using command-line git.

Are you saying you normally update your third-party libs with the latest from HEAD instead of using versioned release artifacts?

(I'm guessing you're speaking from a JS dev perspective?)

I'm a web developer, so my response was hastily written thinking about my own narrow scope. I'm sure that non-web developers can go their whole lives without interacting with git, but it's impossible for web developers.

Npm (Node), Composer (PHP), and Bower (web) package managers all use git (and often GitHub itself) pretty religiously. I know that one or more of those may support other VCS repos, but git is the de facto flavor.

> Are you saying you normally update your third-party libs with the latest from HEAD instead of using versioned release artifacts?

Not exactly. First of all, that's what I _used_ to do before every language had its own package manager.

Second, I do use versioned releases. However, I use the tagged versions that are determined by the author(s) of the library. I'm not just pulling down a bleeding-edge, un-tested library, and I don't get every single commit.

1. Nuget packages inside Visual Studio 2. Download the library using a web browser, and just put it where it needs to be.

I'm sure some people would scoff at this list, but it does demonstrate that you can certainly use third party libraries without using git.

That might work for certain projects, but let's say you're using 10 third-party libraries. If they're under active development, you can expect at least a few security updates between the time you first import them and the time you ship your own product.

It's not very practical (especially for a programmer!) to keep manually checking your dependencies' product pages for updates.