yarn.meff.me mckinley@twtxt.net "(#vh5pwrq) @prologic > “dependency hell” comes from this “exponential dependency tree” that we inevitably see in ecosystems like NodeJS ..."

Mon, Nov 21 11:27PM 2022 (1y ago)

“dependency hell” comes from this “exponential dependency tree” that we inevitably see in ecosystems like NodeJS / NPM

Yes, and these “ecosystems” try to put a band-aid on it by allowing packages to specify which version of a package they need. All that means is you get 7 different versions of the same package bloating up your node_modules folder and 6 critical vulnerabilities from one package.

Then, it’s impossible to keep track of all 1200 of your dependencies and sub-dependencies, so you get a robot to do it for you: Dependabot. What happens when Dependabot dies? Absolute chaos.

NodeJS library authors could just write better libraries and avoid breaking changes every update, and NodeJS software developers in general could fix their programs when they break, but they don’t. It’s on the “ecosystem” to solve for this, and it inevitably does a terrible job.

#5f5rrxa