I like the sentiment and I'm usually first in line to ridicule the 'npm install left-pad' crowd, but this doesn't always fly. Python is a great glue language to mash high performance C/fortran components together. One does not simply write sklearn or pytorch from scratch.
"Python is a great glue language to mash high performance C"
This is exactly what I'm starting to work through. After 6 years of Python, I've finally hit the limit of what I can do with it. Now I'm working to rebuild an algorithm in C to reconnect to the Python application.
"One does not simply write sklearn or pytorch from scratch."
I also agree with this. Would either be in a product though? Personally, if it's not a product, I wouldn't mind dependencies.
Yes, they are in at least one product I can think of, and likely more. That product deploys its own conda environment and includes a huge amount of spatial analytical tools.
Governments and large private enterprise the world over use ArcGIS Pro, as do many NGOs and education institutions, which is a massive leap forward for both desktop and highly integrated Web GIS work.
I'd be prepared to be a bit of blind money that other industry tools use a similar setup where the python libraries permit an exceptional cadence of development and help place those vendors products at the pointy end of the market.
How they manage dependency security isn't super clear. They're always a couple of version behind, so perhaps it's a CI/CD QA/QC thing which also includes security.
I get the general idea, but at the same time, I don't have the time to write my own libraries from scratch - all modern web standards are complex and most libraries filled with years to decades worth of experience of all the edge cases that crop up, particularly as most standards don't carry a "compliance test suite".
It's one thing if I were paid by my employer to re-invent the wheel, but for personal projects... I don't have that much free time for them in the first place any more, I want to get shit done and not shave yaks all day. When I want a good grind, I'll pack out Factorio or one of the LEGO Switch games...
There's a difference in values between those who reinvent the wheel and those who leverage opensource. It sounds like you value time-to-product whereas I value ownership of said product.
There are always risks associated with building on other people's land, platforms, and codebases. However, there are also risks when reinventing the wheel. Both perspectives have advantages, disadvantages, and use cases.
A compromise is to audit and then pin exact versions, or even copy and paste the code into your project. Yes, this is a clear tradeoff in that you'll lose access to newer updates, but it's certainly worth thinking about. I do it with relatively trivial libraries for things that I know the package has solved various edge cases, is small in scope, and probably won't be updated again, for example.
I always build my whole computer from scratch from NAND gates all the way up to the full OS, build my own switches, cut the network cables myself, dependencies be dammed. /s