That means throwing away thousands of hours of hundreds of programming time, just to reinvent the wheel and use untested, vulnerable, and I assume buggy (from lack of testing in real world) code.
1. usually a library has a wider range of features than you need. So you don't have to rewrite the whole library, just the bits you need, and you end up writing much less code because don't have to integrate the bits you need with the bits you don't need.
2. you do have to spend a lot of time understanding the interface of the imported library and writing integration code to use it correctly.
3. (as others have said) there's a lot of time spent auditing the library (and all its dependencies) to make sure it's not doing bad things. And that auditing work needs to be repeated every time any dependency of the library updates a version.
This is especially important if you're doing anything with customer information involved - you're liable if you import a library that imports a dependency that quietly sends your customer's personal information to a url in Russia.
4. you may have to make architectural compromises to fit the library in; it might not support concurrent access, or idempotent calls, and that may cause more time loss in the long run than just writing what you need yourself.
5. the library becomes a black box, and your code becomes plumbing connecting the black boxes together. Trying to debug your application, or improve performance, or make it more robust, is impossible because you can't change any of the black boxes and your plumbing code does nothing important.
that's most of why I prefer to roll my own code rather than import a dependency in most cases (crypto being the notable exception).
Studying the dependencies, esp for JS, takes a lot of time as well. Before including a library, I want to know if it is maintained, if it has no known sec flaws and if the author dies I have a chance of taking it up ourselves, at least for audits and sec fixes. If you are doing npm install and further ignoring those implications, then yes, you are right, but it will bite you in the end as software outlives it’s initial intended lifespan sometimes by decades; how much VB6 is running production that was ‘just a little tool for a few months until we ...’? ... how much PHP? personally I know 1000s of those running across companies we work with. With VB6 and PHP ‘oldskool’ (meaning little or no deps in the form of downloaded libs and components) people have no issue maintaining it. But if you have to do some fixes in 2029 on a node.js API you finished yesterday, you would not be happy. With 10000s of libs that will not exist anymore, many of those having massive security issues, many API’s they call out to having changed, you would need to study and work on the entire tree that affects the changes. If you did not set this up with this in mind (which seems some kind of JS plague as you indeed also suggest), this is what will happen in many occasions.
In general; many deps is a bad idea for longevity of software. How can you know if it does not all crash and burn if the author changes jobs? Personally I want to know I have the sources and understand them enough to be able to support them with our team; in reality, for the JS ecosystem, that often means it is less work (those hours you mention) to write it yourself because it was trivial to begin with anyway and the npm solution has 1000 dependencies yours does not (for instance, they use deps like left-pad to implement something that can be implemented in 100 lines of pure JS, now needing still 100 lines but of rancid (unsupported?) one liner ‘libraries’ which is absolutely insane)
Managers usually are not programmers nor have technical background: once something works, they might not allocate time for you/your team to touch it for many years. You probably left or enjoying your pension (many anecdotes about that: a lot of companies are running on software that was done by one employee and he retired, years ago), while some poor junior who does not know what JS is, is holding your turd. At least with 20 year old PHP it still runs and without knowing PHP beforehand, it is not hard to change/fix for a capable programmer.
I have seen this with larger node.js and with Rails projects; not so much with Java and .NET projects; the latter seem to be fine many year later (maybe with some tiny migrations), even when updating libraries or runtimes.
It is a compromise ofcourse; I am not against reuse, but only to the limit we could possibly handle maintenance and updates ourselves of all imported libs. Otherwise it is a no-go.
it's not just the lib, the whole ecosystem is fucked. trying to compile a two year old gulp project is madness because all tooling have all kind of incompatibilities with their own file format and other tools invocations.
many of these only work when installed globally and conflict each other version to the point the only way to work at project of different ages are chroots or flat out vms. whomever ever thought that -g was a good idea should never work at a tooling system again.
heck, some years ago you could push a library change to npm updating a version number that already existed there, the place is a mad house.
> Studying the dependencies, esp for JS, takes a lot of time as well. Before including a library, I want to know if it is maintained, if it has no known sec flaws and if the author dies I have a chance of taking it up ourselves, at least for audits and sec fixes.
Sure, but a lot less time that planning, programming, debugging, maintaining your own library.
> In general; many deps is a bad idea for longevity of software. How can you know if it does not all crash and burn if the author changes jobs?
Many many times if a library doesn't work there are about 100 other ones that do the same thing.
> At least with 20 year old PHP it still runs and without knowing PHP beforehand, it is not hard to change/fix for a capable programmer.
How does it run? It's not even maintained anymore nor installable in any modern server. You can run it, and be exposed to all kinds of security holes.
> It is a compromise ofcourse; I am not against reuse, but only to the limit we could possibly handle maintenance and updates ourselves of all imported libs. Otherwise it is a no-go.
There's a much higher change of a single developer falling out of love/not having time for a project anymore than a major library becoming unmaintained or having a serious bug unfixed.
If that happens, you just swap it with another one. It takes 1/100th of the time compared to do everything yourself.
1. usually a library has a wider range of features than you need. So you don't have to rewrite the whole library, just the bits you need, and you end up writing much less code because don't have to integrate the bits you need with the bits you don't need.
2. you do have to spend a lot of time understanding the interface of the imported library and writing integration code to use it correctly.
3. (as others have said) there's a lot of time spent auditing the library (and all its dependencies) to make sure it's not doing bad things. And that auditing work needs to be repeated every time any dependency of the library updates a version. This is especially important if you're doing anything with customer information involved - you're liable if you import a library that imports a dependency that quietly sends your customer's personal information to a url in Russia.
4. you may have to make architectural compromises to fit the library in; it might not support concurrent access, or idempotent calls, and that may cause more time loss in the long run than just writing what you need yourself.
5. the library becomes a black box, and your code becomes plumbing connecting the black boxes together. Trying to debug your application, or improve performance, or make it more robust, is impossible because you can't change any of the black boxes and your plumbing code does nothing important.
that's most of why I prefer to roll my own code rather than import a dependency in most cases (crypto being the notable exception).