[sidmkp96]

So? What's wrong with this? Why would someone check-in all the 3rd party code, when same can be described in package.json & downloaded again.

[quickben]

I started seeing the floating dependency approach at smaller places and personally consider it a bad pattern.

You get everything you depend on, stuff it into a folder named third-party, and check it in forever (or until security bugs, features you need, etc). Include all and any licences, this is important.

When dealing with any software that's supposed to be our there for decades, the last thing you want it to have unplanned work because of missing libraries.

[reimertz]

I have seen this first hand at a acquisition. Missing licenses resulted in the entire FE team working in finding missing licenses/find alternative module with proper license or worst case scenario; implement our own solution. This literally took 1 week. Shrink-wrap would have saved us a bunch of $$$.

[Gigablah]

You have to be careful about the type of licenses as well. Happened to me, luckily it was a tiny library and there was an alternative available.

See anything with a "cute" license, such as WTFPL? Don't use it for work.

[hedora]

What's wrong with WTFPL?

I needed some wtfpl code for something, and asked a team of corporate lawyers to evaluate it.

They deemed acceptable, and whitelisted it at one of the biggest software companies around.

[Gigablah]

Another one of the biggest software companies around came to the opposite conclusion :(

[quickben]

Yes, it takes one to go through that experience once, to fully appreciate the effort. I also look at that one downvote to my post, and can't help but think that somebody is up for a very nasty surprise in his career.

[reimertz]

I guess some see a risk of mutability(https://medium.com/@azerbike/i-ve-just-liberated-my-modules-...).

But you can always use shrink-wrap or other package managers that guarantee immutability.

Oh, I guess I should say I love npm/yarn and use it as a core of all my projects. ️