←back to thread

The fate of "small" open source

(nolanlawson.com)
295 points todsacerdoti | 2 comments | 16 Nov 25 19:21 UTC | HN request time: 0.412s | source
Show context
Aperocky ◴[16 Nov 25 20:38 UTC] No.45948201[source]
> the era of small, low-value libraries like blob-util is over.

Thankfully (not against blob-util specifically because I've never intentionally used it), I wouldn't completely blame llms either since languages like Go never had this dependency hell.

npm is a security nightmare not just because of npm the package manager, because the culture of the language rewards behavior such as "left-pad".

Instead of writing endless utilities for other project to re-use, write actual working things instead - that's where the value/fun is.

replies(3): >>45948291 #>>45948576 #>>45956235 #
ncruces ◴[16 Nov 25 20:52 UTC] No.45948291[source]
But as Go puts it:

“A little copying is better than a little dependency.”

https://go-proverbs.github.io/

replies(2): >>45948486 #>>45948539 #
threatofrain ◴[16 Nov 25 21:24 UTC] No.45948539[source]
Copying is just as much dependency, you just have to do maintenance through manual find-and-replace now.
replies(7): >>45948640 #>>45948666 #>>45948754 #>>45948756 #>>45949127 #>>45949152 #>>45949481 #
SchemaLoad ◴[16 Nov 25 23:35 UTC] No.45949481[source]
Most of these util libraries require basically no changes ever. The problem is the package maintainers getting hacked and malicious versions getting pushed out.
replies(1): >>45949653 #
KPGv2 ◴[16 Nov 25 23:58 UTC] No.45949653[source]
If you use an LLM to generate a function, it will never be updated.

So why not do the same thing with a dependency? Install it once and never update it (and therefore hacked and malicious versions can never arrive in your dependency tree).

You're a JS developer, right? That's the group who thinks a programmer's job includes constantly updating dependencies to the latest version constantly.

replies(2): >>45950339 #>>45950855 #
1. nineteen999 ◴[17 Nov 25 02:23 UTC] No.45950339[source]
> Install it once and never update it (and therefore hacked and malicious versions can never arrive in your dependency tree).

Huh? What if your once-off installation or vendoring IS a hacked an malicious version and you never realise and never update it. That's worse.

replies(1): >>45950885 #
2. llbbdd ◴[17 Nov 25 04:39 UTC] No.45950885[source]
Hardly worth responding to, from other comments they're defending Java. They're not used to updates.