Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I agree that some amount of friction when including third party dependencies is a vital thing to push people to consider the value versus cost of dependencies (and license review, code review, channel subscriptions are all incredibily important and almost always overlooked), however how should this work for transitive dependendencies? And the dependencies of _those_ dependencies?

The dependency trees for most interpreted or source-distributed languages are ridiculous, and review of even a few of those seems practically impossible in a lot of development environments.



You understand the problem clearly, but you haven't put your finger on the solution.

It's an obvious one, but distasteful to many people.


Perhaps the distaste is blinding me.

Would you care to state the obvious very clearly, for the dense ones among us?


"The dependency trees for most interpreted or source-distributed languages are ridiculous,"

Therefore, you must only use software for which the dependency trees are not ridiculous.

And that means giving up on software with ridiculous dependencies.




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: