Comment by threatofrain
8 hours ago
Copying is just as much dependency, you just have to do maintenance through manual find-and-replace now.
8 hours ago
Copying is just as much dependency, you just have to do maintenance through manual find-and-replace now.
> you just have to do maintenance through manual find-and-replace now
Do you? It doesn't seem even remotely like an apples-to-apples comparison to me.
If you're the author of a library, you have to cover every possible way in which your code might be used. Most of the "maintenance" ends up being due to some bug report coming from a user who is not doing things in the way you anticipated, and you have to adjust your library (possibly causing more bugs) to accommodate, etc.
If you instead imaging the same functionality being just another private thing within your application, you only need to make sure that functionality works in the one single way you're using it. You don't have to make it arbitrarily general purpose. You can do error handling elsewhere in your app. You can test it only against the range of inputs you've already ensured are the case in your app, etc. The amount of "maintenance" is tiny by comparison to what a library maintainer would have to be doing.
It seems obvious to me that "maintenance" means a much more limited thing when talking about some functionality that the rest of your app is using (and which you can test against the way you're using it), versus a public library that everyone is using and needs to work for everyone's usage of it.
> If you're the author of a library, you have to cover every possible way in which your code might be used.
You don't actually. You write the library for how you use it, and you accept pull requests that extend it if you feel it has merit.
If you don't, people are free to fork it and pull in your improvements periodically. Or their fork gets more popular, and you get to swap in a library that is now better-maintained by the community.
As long as you pin your package, you're better off. Replicating code pretty quickly stops making sense.
It's a rare developer (or human for that matter) who can just shrug and say "fork off" when asked for help with their library.
1 reply →
Copied text does not inject bitcoin mining malware three months after I paste it.
Neither does a dependency you don't update, though, which is isomorphic to copied code you never update.
Usually these types if things never change. I understand that all code is a liability, but npm takes this way too far. Many utility functions can be left untouched for many years if not forever.
It's not NPM. It's JS culture. I've done a lot of time programming in TypeScript, and it never fails that in JS programmer circles they are constantly talking about updating all their packages, completely befuddled why I'd be using some multiple year old version of a library in production, etc.
Meanwhile Java goes the other way: twenty-year old packages that are serious blockers to improved readability. Running Java that doesn't even support Option (or Maybe or whatever it's called in Java).
Java writes to a bytecode spec that has failed to keep up with reality, to its detriment. Web development keeps up with an evolving spec pushed forward by compatibility with what users are actually using. This is "culture" only in the most distant, useless sense of the word. It is instead context, which welcomes it back into the world of just fucking developing software, no matter how grey-haired HN gets with rage while the world moves on.
EDIT: Obvious from the rest of your responses in this thread that this is trolling, leaving this up for posterity only
Most of these util libraries require basically no changes ever. The problem is the package maintainers getting hacked and malicious versions getting pushed out.
If you use an LLM to generate a function, it will never be updated.
So why not do the same thing with a dependency? Install it once and never update it (and therefore hacked and malicious versions can never arrive in your dependency tree).
You're a JS developer, right? That's the group who thinks a programmer's job includes constantly updating dependencies to the latest version constantly.
You're not a web developer, right? See my other comment about context if you want to learn more about the role of context in software development in general. If you keep repeating whatever point you're trying to make about some imaginary driving force to pointlessly update dependencies in web dev, you'll probably continue to embarrass yourself, but it's not hard to understand if you read about it instead of repeating the same drivel under every comment in this thread.
> Install it once and never update it (and therefore hacked and malicious versions can never arrive in your dependency tree).
Huh? What if your once-off installation or vendoring IS a hacked an malicious version and you never realise and never update it. That's worse.
1 reply →
Keyword: little.
Dependencies need to pull their own weight.
Shifting responsibilities is a risk that the value added needs to offset.
Yeah it's the main thing I really dislike about this - how do you make sure you know where it's from? (ie licensing) What if there are updates you need? Are you going to maintain it forever?
For some definition of "small piece of code" that may be ok, but also sometimes this is more than folks consider
Do you know that you can just add a small text file or a comment explaining that a module is vendored code. Ad updates is handled the same way as the rest of the code. And you will be “maintaining” it as long as you need to. Libraries are not “here be dragons” best left to adventurous ones.
If I vendor a dependency that currently works for what my program does, I only have to care about it again if a security hole is discovered in it or if my program changes and the dependency is insufficient in some way. I don't have to worry about the person I'm importing code from going weird or introducing a bug that affects me.