Post AyKFNMHfpGJgpxirc8 by alxlg@mastodon.social
(DIR) More posts by alxlg@mastodon.social
(DIR) Post #AyKFI0NBrZSdQvka7U by slightlyoff@toot.cafe
2025-09-17T18:18:53Z
1 likes, 0 repeats
The idea that package managers are "bad" or "evil" is wrong. OTOH, the consequences of low-friction software accretion are bad, and sometimes evil. We need a middle ground. That's why I support forcing CAPTCHAs for every dependency, including for each sub-dependency, including for every update.(this is a joke...ish)
(DIR) Post #AyKFI4ZOG9b2RvUNgu by slightlyoff@toot.cafe
2025-09-17T18:25:28Z
1 likes, 0 repeats
In all seriousness, though...it should cost more (psychically) to add bajillions of deps to a project's tree, and the cost should go up the heavier it already is.Call it a Module Wealth Tax.
(DIR) Post #AyKFKZO4eTdubiO24W by agmcleod@mastodon.social
2025-09-17T18:28:52Z
0 likes, 0 repeats
@slightlyoff i think most of my own projects lately, most of the dependencies has been developer tooling (solidjs & svelte). Build bundles aside, im just nervous to touch those from installing corrupted packages on my own machine now :/
(DIR) Post #AyKFKaZ6Gy3aGCYLtg by slightlyoff@toot.cafe
2025-09-17T18:35:07Z
1 likes, 0 repeats
@agmcleod those are high-interest loans too
(DIR) Post #AyKFNMHfpGJgpxirc8 by alxlg@mastodon.social
2025-09-17T19:26:27Z
1 likes, 0 repeats
@slightlyoff Imho package managers are better to propagate important security fixes compared to vendoring or in-house reimplementations.For me the problem is repositories in which everyone can publish freely instead of curated repositories like the Linux distributions ones.Also, by organizing dependencies in concentric tiers it would be possible to provide different degrees of security and enabling policies like "for this project you can draw from these repositories".