You
need
to automate vulnerability monitoring
You
need
to automate runtime updates
You
need
to automate dependency upgrades
You
need
to cache dependencies
You
need
to automate releases
You
need
to contribute
-
Show this thread
-
All that said, our tooling isn't there... yet. Addressing each of the points above:
1 reply 0 retweets 4 likesShow this thread -
There is tooling to automate your vulnerability monitoring, but IMO the remediation features aren't even close to fleshed out enough to be The Solution. The tools we need are out there, but the dots haven't been connected... yet.1 reply 0 retweets 7 likesShow this thread -
There isn't much tooling for intelligence around upgrading your @nodejs runtime. There is a minimum secure version of every active release line, but that information is too hard to find for those who don't contribute to@nodejs I'm personally hoping to help solve this one
2 replies 0 retweets 7 likesShow this thread -
The @greenkeeperio bot does a god damn incredible job with managing dependency upgrades, but not enough projects use it. The more projects that start using it, the safer our ecosystem becomes and the faster we get rid of legacy code that hinders everyone. Use it.2 replies 1 retweet 14 likesShow this thread -
Caching deps is something you've been able to do for years. It's v easy to tell that a lot of companies
aren't
caching deps when a module they depend disappears (left_pad) or @npmjs has an outage. The onus of HA is on your company, not@npmjs... unless you pay for npmE.1 reply 0 retweets 8 likesShow this thread -
Automating releases is a pretty
topic in DevOps, and it's something you should be doing for every npm module, every JavaScript app, and every Node.js service. If you're not automating, you're going to drown under the flood of changes from the previous four points.1 reply 1 retweet 7 likesShow this thread -
This one is a bit of an outlier, but it's an important one. Be the change you want to see. Contribute to the libraries that you use and that need help, not just the glamorous ones. If there are unnecessary deps, remove them. Pay maintainers on @opencollect.1 reply 1 retweet 8 likesShow this thread -
(cont.) You as an individual can be a leader in open source for your company. Help drive that change. If you need manager buzz words, tie in the concept of OSS contribution to Digital Transformation for your skip levels.1 reply 0 retweets 6 likesShow this thread -
(cont.) Your company's support can positively impact the lifespan of an open-source project. By being good open-source citizens, your company's talent pipeline will increase. You'll be positioned to become industry leaders in a world that is frothing for that.1 reply 0 retweets 6 likesShow this thread
To wrap things up, this ecosystem is a paradigm shift.
Both developers and companies need to come at it with fresh eyes and an understanding that 1k+ dependencies is okay. If it's concerning, you're not handling it correctly. But you totally
can
.
-
-
You'll need to shed the restraints of yesteryear to be able to utilize the world's largest source of code that already solves nearly every engineering problem you'll encounter.
1 reply 0 retweets 7 likesShow this thread -
ALSO! I know I said a
-load of controversial things and may have gotten some of them wrong. I 100% know people will come at me with "well actually" and tell me how I'm wrong. Happy to listen and learn from your perspective
pic.twitter.com/X5skRkVdR42 replies 1 retweet 8 likesShow this thread
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.
