| > Studying the dependencies, esp for JS, takes a lot of time as well. Before including a library, I want to know if it is maintained, if it has no known sec flaws and if the author dies I have a chance of taking it up ourselves, at least for audits and sec fixes. Sure, but a lot less time that planning, programming, debugging, maintaining your own library. > In general; many deps is a bad idea for longevity of software. How can you know if it does not all crash and burn if the author changes jobs? Many many times if a library doesn't work there are about 100 other ones that do the same thing. > At least with 20 year old PHP it still runs and without knowing PHP beforehand, it is not hard to change/fix for a capable programmer. How does it run? It's not even maintained anymore nor installable in any modern server. You can run it, and be exposed to all kinds of security holes. > It is a compromise ofcourse; I am not against reuse, but only to the limit we could possibly handle maintenance and updates ourselves of all imported libs. Otherwise it is a no-go. There's a much higher change of a single developer falling out of love/not having time for a project anymore than a major library becoming unmaintained or having a serious bug unfixed. If that happens, you just swap it with another one. It takes 1/100th of the time compared to do everything yourself. |