readme

README.md

@@ -481,17 +481,14 @@ can read application memory, you are doomed in any case:
 * **Commits** are signed with PGP keys, to prevent forgery. Make sure to verify commit signatures.
 * **Releases** are transparent and built on GitHub CI. Make sure to verify [provenance](https://docs.npmjs.com/generating-provenance-statements) logs
 * **Rare releasing** is followed to ensure less re-audit need for end-users
-* **Dependencies** are minimal:
-   - All deps are prevented from automatic updates and have locked-down version ranges. Every update is checked with `npm-diff`
-   - Updates themselves are rare, to ensure rogue updates are not catched accidentally
+* **Dependencies** are minimized and locked-down:
+   - If your app has 500 dependencies, any dep could get hacked and you'll be downloading
+     malware with every install. We make sure to use as few dependencies as possible
+   - We prevent automatic dependency updates by locking-down version ranges. Every update is checked with `npm-diff`
 * **Dev Dependencies** are only used if you want to contribute to the repo. They are disabled for end-users:
    - scure-base, scure-bip32, scure-bip39, micro-bmark and micro-should are developed by the same author and follow identical security practices
    - prettier (linter), fast-check (property-based testing) and typescript are used for code quality, vector generation and ts compilation. The packages are big, which makes it hard to audit their source code thoroughly and fully
 
-Our goal is to minimize the amount of 3rd-party dependencies & native bindings.
-If your app uses 500 dependencies, any dep could get hacked and you'll be
-downloading malware with every install.
-
 ### Randomness
 
 We're deferring to built-in