Похожие чаты

We would be eliminating this cancer where a ridiculous library

like the following depends on ridiculous library (is-string) that also has a dependencies. The transitive libraries have over 3 million downloads per week.

https://www.npmjs.com/package/is-eq-three?activeTab=dependencies

24 ответов

36 просмотров
Perlik-Yubenji Автор вопроса

I think this is what Javascript community needs. you copy/paste the package code into your repository as own code, not as dependency. It is an extra step for now but I am sure we can create tools to automate this. screenshot is from ui.shadcn.com. I believe Tailwind is also going the same route for components.

Perlik Yubenji
screenshot I think this is what Javascript community needs. ...

Not sure I follow how it fixes one-liners distributed as packages

Perlik-Yubenji Автор вопроса
Thomas
I don't like this either

change is tough for everyone. But it is for a better tomorrow.

Perlik Yubenji
change is tough for everyone. But it is for a be...

It works only for the most trivial pieces of code

Perlik-Yubenji Автор вопроса

We remove the ability for a dependency to have dependencies. In the end, we will ensure that apps can only have direct dependencies.

Perlik-Yubenji Автор вопроса
Perlik Yubenji
We remove the ability for a dependency to have dep...

What happens when a dependency really does need a subdependency? injection only?

Perlik-Yubenji Автор вопроса
Thomas
What happens when a dependency really does need a ...

sounds like a great solution to start with. 😀

Perlik Yubenji
screenshot I think this is what Javascript community needs. ...

I think this is dumber. there are already so many "this snippet was copied thousand times from SO and turned out to be incorrect" and what you're suggesting is what github copilot gonna do anyway. hard to manage copy pasted code. rather than a micro dependency.

Perlik-Yubenji Автор вопроса
Ellipsis (...) | now upto ♾
I think this is dumber. there are already so many...

what makes you think any npm package is always correct?

Perlik-Yubenji Автор вопроса
Perlik Yubenji
what makes you think any npm package is always cor...

It can be ofc incorrect, but there is a chance to see a fix shipped by the author/notified by dependency scanners (like Github DependencyBot). If it is a one-off copy & paste even from something trackable like github gist, there will be hard times to learn about fixes. We may manually check for updates from time to time. But if there are more copy&pasted dependencies, it becomes unmanageable to track. If we automate it, we reinvent package managers.

Perlik-Yubenji Автор вопроса
Nikolay Khodov
It can be ofc incorrect, but there is a chance to ...

dependency scanners don't magically identify issues. They are reported by users. What you are trying to describe sounds like an issue that can be fixed by subscribing to vulnerabilities notifications.

Perlik-Yubenji Автор вопроса

once you copy paste to your project, customize it to fit your needs. any updates you need can be made same way you do to own code and as I have indicated, my suggestion is not to do away with dependencies/packages, only dependencies that are required by other dependencies a.k.a transitive dependencies

Perlik Yubenji
once you copy paste to your project, customize it...

Good in theory, does not seem to be scalable in practice

Thomas
It all comes down to skill

Sure thing, we must be implying different things. Do you suggest avoiding transitive dependencies or packaged one-liners?

Perlik-Yubenji Автор вопроса
Nikolay Khodov
Good in theory, does not seem to be scalable in pr...

that's true depending on many things. It also true that managing dependencies is not really scalable.

Похожие вопросы

Обсуждают сегодня

Карта сайта