When the left-pad debacle happened, I feared that people would conclude “dependencies are bad”. (Instead of the logical conclusion, which is “don’t allow dependencies to be deleted from package registries.”) That prediction turned out to be true. :(
-
-
Replying to @pcwalton
I still hate the high dependency count. It’s a nightmare. In rust as well as in javascript. I think dependency groups would help (grouped by org)
5 replies 0 retweets 21 likes -
-
Replying to @pcwalton
How do you vet and security check them all? Any process one can put in place scales badly with the number of dependencies.
2 replies 0 retweets 9 likes -
Replying to @mitsuhiko
How do you vet and security check all the OS libraries you depend on? I think people like to complain about Cargo, NPM, etc. because they make the complexity of software very visible, when the real issue is just that software is complex.
7 replies 9 retweets 38 likes -
Replying to @pcwalton
I come from the Python world which has significantly fewer dependencies do to the restrictions of the import system. There the total number of involved actors is much smaller and easier to audit.
2 replies 0 retweets 0 likes -
Replying to @mitsuhiko
Why does the number of “involved actors” matter?
2 replies 0 retweets 0 likes -
Replying to @pcwalton @mitsuhiko
I went through this somewhat recently in a reddit convo: https://old.reddit.com/r/rust/comments/c9fzyp/analysis_of_rust_crate_sizes_on_cratesio/et046dz/ … --- Widely used/trusted libraries are one thing. Tons of small dependencies maintained by different people with different policies at different maturity levels is another. It's a real cost.
1 reply 0 retweets 20 likes -
Agreed. Trust is a tricky problem to handle. I'll point out that *most* of the discussion around trust and crates is reactionary to "npm problems" and that's super unhealthy: it leads to half solutions that don't actually work out for most use cases of trust
1 reply 0 retweets 8 likes
Yeah that sucks and is counter productive. I can definitely understand the frustration though, especially when it is at least (IMO) partially a cultural problem. As I said in reddit comments, I'm part of the problem too. I'm hopeful that some gentle push back will be beneficial.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.