The fate of "small" open source

(nolanlawson.com)

295 points todsacerdoti | 1 comments | 16 Nov 25 19:21 UTC | HN request time: 0s | source

Show context

Aperocky ◴[16 Nov 25 20:38 UTC] No.45948201[source]▶

> the era of small, low-value libraries like blob-util is over.

Thankfully (not against blob-util specifically because I've never intentionally used it), I wouldn't completely blame llms either since languages like Go never had this dependency hell.

npm is a security nightmare not just because of npm the package manager, because the culture of the language rewards behavior such as "left-pad".

Instead of writing endless utilities for other project to re-use, write actual working things instead - that's where the value/fun is.

replies(3): >>45948291 #>>45948576 #>>45956235 #

ncruces ◴[16 Nov 25 20:52 UTC] No.45948291[source]▶

>>45948201 #

But as Go puts it:

“A little copying is better than a little dependency.”

https://go-proverbs.github.io/

replies(2): >>45948486 #>>45948539 #

threatofrain ◴[16 Nov 25 21:24 UTC] No.45948539[source]▶

>>45948291 #

Copying is just as much dependency, you just have to do maintenance through manual find-and-replace now.

replies(7): >>45948640 #>>45948666 #>>45948754 #>>45948756 #>>45949127 #>>45949152 #>>45949481 #

noosphr ◴[16 Nov 25 22:45 UTC] No.45949152[source]▶

>>45948539 #

Copied text does not inject bitcoin mining malware three months after I paste it.

replies(1): >>45949666 #

KPGv2 ◴[17 Nov 25 00:00 UTC] No.45949666[source]▶

>>45949152 #

Neither does a dependency you don't update, though, which is isomorphic to copied code you never update.

replies(1): >>45952798 #

1. chii ◴[17 Nov 25 11:49 UTC] No.45952798[source]▶

>>45949666 #

somehow, in the js/npm world, dependencies are updated willy nilly, which is the cause of a lot of that ecosystem's headaches.

↑