The fate of "small" open source

(nolanlawson.com)

295 points todsacerdoti | 4 comments | 16 Nov 25 19:21 UTC | HN request time: 0.001s | source

Show context

Aperocky ◴[16 Nov 25 20:38 UTC] No.45948201[source]▶

> the era of small, low-value libraries like blob-util is over.

Thankfully (not against blob-util specifically because I've never intentionally used it), I wouldn't completely blame llms either since languages like Go never had this dependency hell.

npm is a security nightmare not just because of npm the package manager, because the culture of the language rewards behavior such as "left-pad".

Instead of writing endless utilities for other project to re-use, write actual working things instead - that's where the value/fun is.

replies(3): >>45948291 #>>45948576 #>>45956235 #

ncruces ◴[16 Nov 25 20:52 UTC] No.45948291[source]▶

>>45948201 #

But as Go puts it:

“A little copying is better than a little dependency.”

https://go-proverbs.github.io/

replies(2): >>45948486 #>>45948539 #

threatofrain ◴[16 Nov 25 21:24 UTC] No.45948539[source]▶

>>45948291 #

Copying is just as much dependency, you just have to do maintenance through manual find-and-replace now.

replies(7): >>45948640 #>>45948666 #>>45948754 #>>45948756 #>>45949127 #>>45949152 #>>45949481 #

SchemaLoad ◴[16 Nov 25 23:35 UTC] No.45949481[source]▶

>>45948539 #

Most of these util libraries require basically no changes ever. The problem is the package maintainers getting hacked and malicious versions getting pushed out.

replies(1): >>45949653 #

1. KPGv2 ◴[16 Nov 25 23:58 UTC] No.45949653[source]▶

>>45949481 #

If you use an LLM to generate a function, it will never be updated.

So why not do the same thing with a dependency? Install it once and never update it (and therefore hacked and malicious versions can never arrive in your dependency tree).

You're a JS developer, right? That's the group who thinks a programmer's job includes constantly updating dependencies to the latest version constantly.

replies(2): >>45950339 #>>45950855 #

2. nineteen999 ◴[17 Nov 25 02:23 UTC] No.45950339[source]▶

>>45949653 (TP) #

> Install it once and never update it (and therefore hacked and malicious versions can never arrive in your dependency tree).

Huh? What if your once-off installation or vendoring IS a hacked an malicious version and you never realise and never update it. That's worse.

replies(1): >>45950885 #

3. llbbdd ◴[17 Nov 25 04:30 UTC] No.45950855[source]▶

>>45949653 (TP) #

You're not a web developer, right? See my other comment about context if you want to learn more about the role of context in software development in general. If you keep repeating whatever point you're trying to make about some imaginary driving force to pointlessly update dependencies in web dev, you'll probably continue to embarrass yourself, but it's not hard to understand if you read about it instead of repeating the same drivel under every comment in this thread.

4. llbbdd ◴[17 Nov 25 04:39 UTC] No.45950885[source]▶

>>45950339 #

Hardly worth responding to, from other comments they're defending Java. They're not used to updates.

↑