like the following depends on ridiculous library (is-string) that also has a dependencies. The transitive libraries have over 3 million downloads per week.
https://www.npmjs.com/package/is-eq-three?activeTab=dependencies
I think this is what Javascript community needs. you copy/paste the package code into your repository as own code, not as dependency. It is an extra step for now but I am sure we can create tools to automate this. screenshot is from ui.shadcn.com. I believe Tailwind is also going the same route for components.
I don't like this either
aren’t web components kinda similar?
Not sure I follow how it fixes one-liners distributed as packages
change is tough for everyone. But it is for a better tomorrow.
Aren't you just describing snippets?
It works only for the most trivial pieces of code
We remove the ability for a dependency to have dependencies. In the end, we will ensure that apps can only have direct dependencies.
that works perfectly too.
What happens when a dependency really does need a subdependency? injection only?
sounds like a great solution to start with. 😀
I think this is dumber. there are already so many "this snippet was copied thousand times from SO and turned out to be incorrect" and what you're suggesting is what github copilot gonna do anyway. hard to manage copy pasted code. rather than a micro dependency.
what makes you think any npm package is always correct?
package is easier to update rather than a snippet
how does it it make the code correct?
It can be ofc incorrect, but there is a chance to see a fix shipped by the author/notified by dependency scanners (like Github DependencyBot). If it is a one-off copy & paste even from something trackable like github gist, there will be hard times to learn about fixes. We may manually check for updates from time to time. But if there are more copy&pasted dependencies, it becomes unmanageable to track. If we automate it, we reinvent package managers.
dependency scanners don't magically identify issues. They are reported by users. What you are trying to describe sounds like an issue that can be fixed by subscribing to vulnerabilities notifications.
once you copy paste to your project, customize it to fit your needs. any updates you need can be made same way you do to own code and as I have indicated, my suggestion is not to do away with dependencies/packages, only dependencies that are required by other dependencies a.k.a transitive dependencies
Good in theory, does not seem to be scalable in practice
It all comes down to skill
Sure thing, we must be implying different things. Do you suggest avoiding transitive dependencies or packaged one-liners?
that's true depending on many things. It also true that managing dependencies is not really scalable.
Обсуждают сегодня