i'll never understand dependency count minimization
if my code works, is clean to read, and doesn't take too long to compile, ship it
@er1n dependency count minimization is a bus factor thing as far as I can tell
the bigger your dependency chain is, the higher the chance someone's account gets compromised and suddenly your software is a virus
@er1n imo theres a middle ground. minimizing dependencies shouldnt be the goal, but also every dependency is another way for it to fail on someone elses system due to version mismatch, and another way for things to break in the future when a lib ends up deprecated/unmaintained
Yes, dependency quality should be more important than dependency count. Also depth and the usefulness of your package manager (if any). Some languages have a package manager that'll recurse to arbitrary depth and resolve conflicts. Some languages have luarocks 😂
I'm an old and I like to tell the story about the development community I was in where they were deadlocked over whether to do version 2 in C or rewrite it in something like Ruby. There was this draconian rule about dependencies, too, so I left the original program alone and wrote a wrapper script in the most obscure scripting language that technically satisfied the community requirements
But 20 years later, that program still compiles and runs. So it's not like they were wrong. Just annoying 😎
@er1n bUt leFt pAd
@er1n love too build a tower out of badly specified parts on a shifting foundation that nobody is responsible for
@scanlime true and valid
i guess i'm looking at the slightly-more-conservative rust style of dependency vendoring more than, for instance, node's. "traditional" dependency management is also kinda bad in a different way (wooooo incompatible shared libraries and reliance on fragmented system package managers or the lack thereof)
@er1n there's gotta be a middle ground between entirely monolithic codebases and npm :)
@er1n I'm kinda torn. On one hand, yes, probably you don't need to depend on `is-odd`. On the other hand, having working code is far better than not, and as long as you're not shipping vulnerabilities and can still maintain your thing, cool.
(That said, I'm currently running into a problem where too many dependencies are slowing down compiles that happen thousands of times a day, so I'm working to cut those down.)
@cascode i mainly find this to be an issue with like, c and c++ dependency style stuff, not well-done dependency management like rust
@er1n what about dependencies you refactor out, but forget to remove? does cargo warn about these? do they still get linked into the binary, just to be on the safe side?
A small Mastodon instance run by Erin for herself and her friends.