Comment by Maskawanian
2 months ago
Golang at least gives you the option to easily vendor-ize packages to your local repository. Given what has happened here, maybe we should start doing this more!
2 months ago
Golang at least gives you the option to easily vendor-ize packages to your local repository. Given what has happened here, maybe we should start doing this more!
This doesn't really help you. I assume Go records the sha1 hash of the commit it grabs, so it doesn't really matter if you vendor it, or download it every time.
The problem comes when you want to upgrade your dependencies. How do you know that they are trustworthy on first use?
Go uses the hash of the source code, not the commit ID. So there's no difference between vendoring and using the central repo.
npm has always downloaded to the current directory.
That isn't the same as vendor-izing unless you are committing node_modules to your VCS, which would be insane.