Do I have to create a new snap package everytime a dependency gets a security update?
Solution 1:
The short answer is yes, you'll need to rebuild your snap if you need to update a dependency. However, there's a longer answer here, too.
Say you have some application that uses SSL (could be some embedded software or a full-blown website using Apache). You do your research and utilize specific key exchange and symmetric algorithms. Now say a security vulnerability was discovered in SSL, and a new version was released. Just because it's a security release doesn't mean the patched vulnerability was in one of the algorithms you used. What if it wasn't? What if, by patching that vulnerability in an algorithm you didn't use, something you did use was broken or compromised (happened to me recently with PHP)? If you're bundling it you can make the call about whether or not you need to upgrade on a use-by-use basis. You can also test it extensively before rolling it out to all your users. There's also the possibility that the distribution you're targeting has a different version of SSL that doesn't work with your piece of software, where bundling it in the snap provides for a common experience across platforms.
There's definitely a trade off between the benefits of sharing dependencies and the benefits of bundling them.