Hacker News new | ask | show | jobs
by pridkett 234 days ago
Simple for simple cases - but you update a dependency and that updates a dependency that has a window range of dependencies because one version had a security issue which causes you to downgrade three other packages.

It can get complicated. The resolver in uv is part of its magic.

https://docs.astral.sh/uv/reference/internals/resolver/
1 comments
noosphr 234 days ago
JavaScript has truly rotted the brains of software developers.

You include the security patch of whatever your dependencies are into your local vetted pypi repository. You control what you consider liabilities and you don't get shocked by breakages in what should be minor versions.

Of course you have to be able to develop software and not just snap Lego's together to manage a setup like that. Which is why uv is so popular.

link
Capricorn2481 234 days ago
You can make it a language flame war, but the Python ecosystem has had no problem making this bed for themselves. That's why people are complaining about running other people's projects, not setting up their own.

Sensible defaults would completely sidestep this, that's the popularity of uv. Or you can be an ass to people online to feel superior, which I'm sure really helps.

link
throw-the-towel 234 days ago
You're implying that I have to run a local Pypi just to update some dependencies for a project? When other languages somehow manage without that? No way I'm doing that.
link
icedchai 234 days ago
Some organizations force you to use their internal dependency repos because the "IT department" or similar has blessed only certain versions in the name of "security" (or at least security theater.)

Inevitably, these versions are out-of-date. Sometimes, they are very, very out of date. "Sorry, I can only install [version from 5 years ago.]" is always great for productivity.

I ran into this recently with a third-party. You'd think a 5 year old version would trigger alarm bells...

link
int_19h 233 days ago
This is the norm at all big tech companies now AFAIK.
link
noosphr 233 days ago
I use 30 year old software regularly. Newer doesn't mean working.
link
icedchai 233 days ago
Sure. I do a lot of retrocomputing and that's fine. I have OSes from the 80's running in emulators.

But when you're developing software, you want the newer stuff. Would you use MySQL 5.0 from 2005? No, you'd be out of your mind.

link
9dev 234 days ago
Im wondering if people like you are getting paid to vet other people’s libraries? Because with every modern project I have ever seen, you can’t do too much the rest of the day with the amount of library updates you have to be vetting.
link
Capricorn2481 234 days ago
He's a consultant. Making everyone else sound incompetent is part of the gig.
link
oivey 234 days ago
Cool so how does that work when you’re writing a library that you want to distribute to other people?
link