NPM and Webpack are out of the question, so I’ll just advocate for composer:
From a developer perspective it takes more time to manually manage extensions than to do it with a dependency manager. To the extreme you could compare it to using “linux from scratch” or Debian. If there’s a security problem you have to manually get the code and fit it into your project. When you use package-management you just run
apt update or
composer update respectively. Thinking of the days and weeks I spent on manually doing stuff in Linux in the mid-90s, I’m certainly glad to have package-management now and glad that other OSs (like iOS, Android, OSX, Windows) adopted something similar (appstores).
@fox says he only wants to update when there’s a security shitstorm. There’s a free (for OSS projects) composer service that notifies you when one of your dependencies needs a security update (for github users it even creates pull-requests).
Just for fun, I just tried switching my tt-rss install to composer autoloading. It was a one-line-change. So it’s not like a deep cut into the app or something.