|
|
|
|
|
|
by klodolph
1543 days ago
|
|
|
> I don't think there's any clear argument you can make on first principles for which of those is actually the case. I don't understand why someone would try to argue from first principles here, it just seems like such a bizarre approach. Anyway, it's not just a security issue. Malicious packages and security fixes are only part of the picture. Other issues: - Despite a team's promise to use semantic versioning, point releases & "bugfix" releases will break downstream users - Other systems for determining the versions to use are much more unpredictable and hard to understand than estimated (look at Dart and Cargo) https://github.com/dart-lang/pub/blob/master/doc/solver.md https://github.com/rust-lang/cargo/blob/1ef1e0a12723ce9548d7... |
|
|
I'm one of the co-authors of Dart's package manager. :)
Yes, it is complex. Code reuse is hard and there's no silver bullet.