← Back to context

Comment by lycopodiopsida

2 months ago

> Until you go get malware

While technically true, I have yet to see Go projects importing thousands of dependencies. They may certainly exist, but are absolutely not the rule. JS projects, however...

We have to realize, that while supply chain attacks can happen everywhere, the best mitigations are development culture and solid standard library - looking at you, cargo.

I am a JS developer by trade and I think that this ecosystem is doomed. I absolutely avoid even installing node on my private machine.

3 comments

lycopodiopsida

Reply
homebrewer  2 months ago

Here's an example off the top of my mind:

https://github.com/go-gitea/gitea/blob/main/go.sum

  • EdiX  2 months ago

    I think you are reading that wrong, go.sum isn't a list of dependencies it's a list of checksums for modules that were, at some point, used by this module. All those different versions of the same module listed there, they aren't all dependencies, at most one of them is.

    Assuming 'go mod tidy' is periodically run go.mod should contain all dependencies (which in this case seems to be shy of 300, still a lot).

  • mayama  2 months ago

    Half of go.sum dependencies generally are multiple versions of same package. 400 still a lot, but a huge project like gitea might need them I guess.

    > cat go.sum |awk '{print $1}' | sort |uniq |wc -l

    431

    > wc -l go.sum

    1156 go.sum