Comment by zwnow
2 months ago
Unfortunately that's almost the whole industry. Every software project I've seen has an uncountable amount of dependencies. No matter if npm, cargo, go packages, whatever you name.
2 months ago
Unfortunately that's almost the whole industry. Every software project I've seen has an uncountable amount of dependencies. No matter if npm, cargo, go packages, whatever you name.
Every place I ever worked at made sure to curate the dependencies for their main projects. Heck, in some cases that was even necessary for certifications. Web dev might be a wild west, but as soon as your software is installed on prem by hundreds or thousands of paying customers the stakes change.
Curating dependencies won't prevent all supply chain attacks though
Zero-external-dependency Go apps are far more feasible than Rust or Node, simply because of the size and quality of the standard library.
Just the other day someone argued with me that it was reasonable for Limbo (the SQLite Rust rewrite) to have 3135 dependencies (of those, 1313 Rust dependencies).
https://github.com/tursodatabase/turso/network/dependencies
Even more wild considering that SQLite prides itself on having zero dependencies. Sounds like a doomed project.
This is incredible.
At this rate, there's a non-zero chance that one of the transitive dependencies is SQLite itself.
3 replies →
Yeah. You have dev dependencies in there, those alone will increase number of dependencies by ~500, without ending up in the final product.
Those numbers are way off their actual number.
8 replies →