←back to thread

272 points abdisalan | 4 comments | | HN request time: 0.898s | source
Show context
sgt ◴[] No.42175354[source]
I've actually had a node project go bad in a mere 4 months. It must be a new record. That was about 4-5 years ago though.

Hopefully the ecosystem as improved since then, but it was nearly impossible to get going.

Some packages had been changed and the version number overwritten with incompatible packages, and the conflicts were plenty.

replies(4): >>42175458 #>>42175556 #>>42176160 #>>42176366 #
jerf ◴[] No.42175556[source]
One of the things I'm intrigued by is that JS people, and the other couple of ecosystems where this is a big problem, go out to learn another language (as a good T-shaped developer does), and then start posting frantic questions to the new language's communities about how this popular library hasn't had a commit in six weeks, is it dead, oh my gosh wtf aaaaaaaaaaa.

It's OK. Not every language ecosystem is so busted that you can reliably expect a project not to work if someone isn't staring at it weekly and building it over and over again just in case. Now, it's always a risk, sure, no language anywhere is immune to the issue [1], but there's plenty of languages where you can encounter things from 5 years ago and your default presumption is that it's probably still working as well now as it did then. It may be wrong, but it's an OK default presumption.

[1]: Well... no language in common use anyhow. There's some really fringe stuff that uses what is basically content-based references for code dependencies, but I'm not aware of anything that I'd call "production quality" that even remotely looks like that, and is immune to someone just plain making an error with the semantic versioning or whatever.

replies(3): >>42175615 #>>42175633 #>>42176233 #
rootnod3 ◴[] No.42175615[source]
These JS developers would probably shiver at seeing many Common Lisp repos with a last commit like 12 years ago and still working like a charm.
replies(3): >>42175670 #>>42175679 #>>42189332 #
abdisalan ◴[] No.42175679[source]
I’m curious, how do you measure the pulse of a project that old? Do people still talk about it? Or that not even necessary — use it until it breaks and otherwise don’t think about it?
replies(3): >>42175769 #>>42176012 #>>42177737 #
1. swatcoder ◴[] No.42176012[source]
Why do you want your building materials to have a pulse?

Ideally, in adopting dependencies, you should be looking for a mature utility whose design was clear and implementation is complete.

If it's open source, you should be able to read and unserstand the code yourself, and you should make an earnest effort to do so, in case it has faults you wouldn't usually allow in your own code and in case you need to fork it at some point.

This lets you you build well-designed, stable, maintainable, clear things yourself.

The alternate, building your project on a random collection of "living" projects undergoing active development is how you banish yourself to perpetual maintenance, build failures and CVE warnings that have nothing to do with your work, surprise regressions when you update your referenced version (you are, at least, pinning your versions??), etc

replies(1): >>42176500 #
2. Macha ◴[] No.42176500[source]
Something like a HTTP 1.1 client is something you might expect would be a pretty stable thing that doesn't need too many updates, right?

But I would not assume that a HTTP client that has been untouched in 12 years supports SNI, for example, which means that actually it might be totally useless for a lot of modern sites (certainly Android did not support SNI 12 years ago).

replies(1): >>42183951 #
3. popcalc ◴[] No.42183951[source]
You're going to put it behind nginx anyways, right? So why does it even matter?
replies(1): >>42183988 #
4. Macha ◴[] No.42183988{3}[source]
Client, not server.