undefined | Better HN

story

0 pointsjoshstrange5mo ago0 comments

You are using the word differently than everyone else I think. I’ve never heard someone using that word to mean maintain private forks. Then again, even private forks don’t protect you much more than package lock files and they are way more overhead IMHO.

You still need some out-of-band process to pull upstream updates and aside from a built-in “cool down” (until you merge changes) I see that method as having a huge amount of downside.

Yes, you sidestep malicious versions pushed to npm but now you own the build process for all your dependencies and you have to find time to update (and fix builds if they break) all your dependencies.

Locking to a specific version and waiting some period of time (cool down) before updating is way easier and jus as safe IMHO.

0 comments

Yokohiii5mo ago

Vendoring literally just means grabbing the source code from origin and commit it to your repo after a review. The expectation that every repo has important regular updates for you is pure FOMO. And if I don't do random updates for fun, nothing will every break.

[redacted bullshit!]

joshstrangeOP5mo ago

> Version locking wont help you all the time, i.e. if you build fresh envs from scratch.

I'm confused on this. I would imagine it would protect/help you as long as releases are immutable which they are for most package managers (like npm).

> Vendoring literally just means grabbing the source code from origin and commit it to your repo after a review.

Hmm, I don't think it always necessarily means grabbing the source, it can also mean grabbing the built artifacts in my experience.

My biggest issue with vendoring dependencies is it allows for editing of said dependencies. Almost everywhere I've worked that vendored dependencies (copied source or built versions in and committed them) felt the siren song of modifying said dependencies which is hell to deal with later.

Yokohiii5mo ago

You are right about version locking, bullshit on my side, not sure what I was thinking.

I personally don't have a problem with the general ability to change vendor code. The question is whether you want it in an specific case or not. If you update frequently then certainly not. But that decision should be deliberate team policy.

1 more reply

j / k navigate · click thread line to collapse

0 comments

Yokohiii5mo ago

[redacted bullshit!]

joshstrangeOP5mo ago

> Version locking wont help you all the time, i.e. if you build fresh envs from scratch.

I'm confused on this. I would imagine it would protect/help you as long as releases are immutable which they are for most package managers (like npm).

> Vendoring literally just means grabbing the source code from origin and commit it to your repo after a review.

Hmm, I don't think it always necessarily means grabbing the source, it can also mean grabbing the built artifacts in my experience.

Yokohiii5mo ago

You are right about version locking, bullshit on my side, not sure what I was thinking.

1 more reply

j / k navigate · click thread line to collapse