When the left-pad debacle happened, I feared that people would conclude “dependencies are bad”. (Instead of the logical conclusion, which is “don’t allow dependencies to be deleted from package registries.”) That prediction turned out to be true. :(
-
-
I went through this somewhat recently in a reddit convo: https://old.reddit.com/r/rust/comments/c9fzyp/analysis_of_rust_crate_sizes_on_cratesio/et046dz/ … --- Widely used/trusted libraries are one thing. Tons of small dependencies maintained by different people with different policies at different maturity levels is another. It's a real cost.
-
Agreed. Trust is a tricky problem to handle. I'll point out that *most* of the discussion around trust and crates is reactionary to "npm problems" and that's super unhealthy: it leads to half solutions that don't actually work out for most use cases of trust
- 1 more reply
New conversation -
-
-
A first approximation would seem that the likelihood that at least one would fail to protect you from supply-chain malice is exponential in the number of publishers you depend on.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.