|
|
|
|
|
|
by foresto
602 days ago
|
|
|
These dependency managers are something of a double-edged sword. They avoid a lot of work if your project has a lot of external packages, but they also encourage pulling in lots of external dependencies without much thought. Every one of those, and every one of their sub-dependencies, exposes users of the software to significantly more risk. It's a breeding ground for common vulnerabilities and supply chain attacks. Partly because of this, I try to avoid external dependencies as much as possible. When I need something that's not built in to the language, I choose in the following order of preference: 1. The standard library and target platform libraries, augmenting any inadequate features with my own extensions if necessary. 2. A very well known, well maintained, and widely used library with few dependencies of its own. Something that could almost be mistaken for #1. 3. Write my own minimal version of what I need, if I can do so with a reasonable level of effort. 4. A lesser-known third-party library, if it appears well maintained, and if I am willing to audit it and every future update to it. A happy side effect is that a language with no built-in dependency manager is still perfectly viable for me, since it wouldn't be saving me much work anyway. |
|
|