|
|
|
|
|
|
by danudey
2392 days ago
|
|
|
PostgreSQL is one project. These dependencies are 242 projects, privately managed and unvetted. I can choose to "trust" the PostgreSQL project, as it's a mature project with high visibility. I can't practically choose to "trust" those 242 projects and gauge the trustworthiness of 179 separate contributors; doing so would take vastly more time than most people have. Dependency bloat is a huge and frustrating problem, especially for people who want to know where their code is coming from and don't want to have to decide to trust hundreds of people for a random cli tool. |
|
|