The fate of "small" open source

> the era of small, low-value libraries like blob-util is over.

Thankfully (not against blob-util specifically because I've never intentionally used it), I wouldn't completely blame llms either since languages like Go never had this dependency hell.

npm is a security nightmare not just because of npm the package manager, because the culture of the language rewards behavior such as "left-pad".

Instead of writing endless utilities for other project to re-use, write actual working things instead - that's where the value/fun is.

But as Go puts it:

“A little copying is better than a little dependency.”

https://go-proverbs.github.io/

Copying is just as much dependency, you just have to do maintenance through manual find-and-replace now.

Most of these util libraries require basically no changes ever. The problem is the package maintainers getting hacked and malicious versions getting pushed out.

If you use an LLM to generate a function, it will never be updated.

So why not do the same thing with a dependency? Install it once and never update it (and therefore hacked and malicious versions can never arrive in your dependency tree).

You're a JS developer, right? That's the group who thinks a programmer's job includes constantly updating dependencies to the latest version constantly.

> Install it once and never update it (and therefore hacked and malicious versions can never arrive in your dependency tree).

Huh? What if your once-off installation or vendoring IS a hacked an malicious version and you never realise and never update it. That's worse.