[pca006132]

But this doesn't solve dependency hell. If the functionalities were loosely coupled, you can already vendor the code in and manually review them. If they are not, say it is a db, you still have to depend on that?

Or maybe you can use AI to vendor dependencies, review existing dependencies and updates. Never tried that, maybe that is better than the current approach, which is just trusting the upstream most of the time until something breaks.

[neoromantique]

When I need 1% of library's functionality, I can use AI to generate me a good enough replacement that does not require shipping any vendor code.

Will it be potentially more fragile and less featured? Sure, but it also will not bring in a thousand packages of dependencies.

[joquarky]

Are you really going to manually review all of moment.js just to format a date?

[pca006132]

By vendoring the code in, in this case I mean copying the related code into the project. You don't review everything. It is a bad way to deal with dependencies, but it feels similar to how people are using LLMs now for utility functions.