[kllrnohj]

> I get "trying to stay vanilla", but any reasonably-common snippet should either be installed from npm or published there.

And that's how you end up with the joke that was left-pad and the broken internet that resulted when the author yanked it.

Dependencies represent a real risk to your product. If it is actually a simple snippet, you shouldn't take that as an NPM dependency - the risk/reward ratio is just way out of whack with that.

[turnipla]

Risk of what? You can make dependencies fully sticky with lockfiles.

Instead of adding a file to your “libs” folder you add a line to package.json

Any code that isn’t in my repo is code I don’t have to maintain.

Left pad can’t happen anymore (for 4 years now) and if you don’t know that you’re either lying or outdated (like those files in your libs folder)

[AgentME]

NPM disallowed un-publishing modules within a few days of that incident. It's not a thing that happens any more. Also, NPM for years has defaulted to creating lockfiles with all the specific versions of dependencies pinned, so even if a dependency gets updated to have a bug, you will stay on the currently-pinned version unless you specifically change that.

[kllrnohj]

> It's not a thing that happens any more

Except it literally happened again 2 years after the left-pad incident:

https://status.npmjs.org/incidents/41zfb8qpvrdj https://github.com/facebook/create-react-app/issues/3701 https://github.com/angular/angular-cli/issues/9113

But anyway whether or not the module is un-published doesn't really matter. The module could also just become malicious. Ownership changes, quality of code changes, etc... If you're pinning with lockfiles you're basically back to copy/pasting or checking in a clone of an upstream repo - the maintenance burden shifts back to you at that point. You still then have to manually go update, and remember to do that, or you become just as easily obsolete as the copy/pasted snippet.