Hacker News new | ask | show | jobs
by quickthrower2 1474 days ago
It is a fine balance. Good luck doing that in JS which has zero standard library on the browser.

C#, for example is in better shape and you can do a lot before you reach for nuget for anything outside of Microsoft.

I prefer to not import tiny libraries but adopt the code into the codebase.
4 comments
eatonphil 1474 days ago
> Good luck doing that in JS which has zero standard library on the browser.

The article is saying something more like vendor your dependencies (and cut out the stuff you don't use within dependencies).

> I prefer to not import tiny libraries but adopt the code into the codebase.

Yep that's what the article is saying.

link
pornel 1474 days ago
I don't get why people find vendoring valuable. If you vendored log4j, you'd get the same exact bug in your vendored version, and you'd need more work to pull in the fix.

Perhaps people imagine that if they vendor they'll review all the code they pull in, but I've never seen it happen in practice beyond "LGTM". It wouldn't have found the log4j vulnerability, and could overlook even intentionally malicious code if only the source looked innocent-enough at the first glance.

link
eatonphil 1474 days ago
Why are so many people using log4j or any complex logging library in the first place?
link
bob1029 1474 days ago
If it weren’t for C#, we’d have a much harder time doing business with our banking customers.

When it comes to vendor due diligence time, we only have to write a single 3rd party’s name into that box. Every one of our customers mutually trusts Microsoft too.

We’ve been at it for over 7 years now and we still only “depend” on Microsoft. Even stuff like SQLite falls under the Microsoft.Data.* scope these days.

link
jeroenhd 1474 days ago
The browser has one of the most extensive standard libraries out there.
link
azangru 1474 days ago
> JS which has zero standard library on the browser.

Could you explain what you mean by a standard library or by zero? :-) Or, more to the point, what are the specific things that you would add to JS standard library that you find missing in the browser?

Consider the latest release of an evergreen browser as a reference point.

(I know about date manipulations. This should be addressed by the Temporal proposal that's already at stage 3. What else?)

link