(nolanlawson.com)

295 points todsacerdoti | 1 comments | 16 Nov 25 19:21 UTC | HN request time: 0s | source

Show context

BrenBarn ◴[16 Nov 25 21:02 UTC] No.45948369[source]▶

> Sure, you could use blob-util, but then you’d be taking on an extra dependency, with unknown performance, maintenance, and supply-chain risks.

Use of an AI to write your code is also a form of dependency. When the LLM spits out code and you just dump it in your project with limited vetting, that's not really that different from vendoring a dependency. It has a different set of risks, but it still has risks.

replies(4): >>45948517 #>>45948587 #>>45948702 #>>45949430 #

nolanl ◴[16 Nov 25 21:31 UTC] No.45948587[source]▶

>>45948369 #

Right, but you do avoid worries like "will I have to update this dependency every week and deal with breaking changes?" or "will the author be compromised in a supply-chain attack, or do a deliberate protestware attack?" etc. As for performance, a lot of npm packages don't have proper tree-shaking, so you might be taking on extra bloat (or installation cost). Your point is well-taken, though.

replies(2): >>45949046 #>>45949629 #

1. KPGv2 ◴[16 Nov 25 23:54 UTC] No.45949629[source]▶

>>45948587 #

> you do avoid worries like "will I have to update this dependency every week and deal with breaking changes?

This is not a worry with NPM. You can just specify a specific version of a dependency in your package.json, and it'll never be updated ever.

I have noticed for years that the JS community is obsessed with updating every package to the latest version no matter what. It's maddening. If it's not broke, don't fix it!

↑

The fate of "small" open source