Understand Your Dependencies

34•dedalus•9mo ago

Comments

recursivedoubts•9mo ago

no dependency is more understandable than the dependency that doesn’t exist

bluGill•9mo ago

That is a trade off as if you need something you either need to depend on it, or write something to do it yourself. One way you have a dependency, the other way a lot more code to maintain.

I go back and forth on what is best. I constantly hit issues that make me regret which ever choice I made for that one thing.

recursivedoubts•9mo ago

Please forward all complaints to the hospital in which you were born.

agwa•9mo ago

deps.dev does an absolutely terrible job with Go dependencies. It thinks modules are the unit of dependency rather than packages. Consequentially, it reports vulnerabilities in packages that are never even imported. For example, https://deps.dev/go/filippo.io%2Fsunlight shows a "9.1 CRITICAL" vulnerability in a supposed SSH dependency from a project that has nothing to do with SSH.

Google ought to be embarrassed by this, especially when govulncheck <https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck> exists and actually checks whether vulnerable code is reachable.

r1chardnl•9mo ago

I don't know how well this makes you understand your dependencies. As for C/C++ a lot of people probably depend on stb single header files libraries. There's stb_truetype but it specifically mentions not to use it on any untrusted/outside .ttf files which I do like but you have to keep in mind to bake to bitmaps or only use your own .ttf provided files, thus I would put this dependency in another place like tooling. Is there a way to do this in other languages like JS and NPM? Maybe carefully choosing which dependencies you include is better?

https://github.com/nothings/stb/blob/master/stb_truetype.h#L...

codr7•9mo ago

Maybe :)

Dependencies is something you learn to be VERY careful with, sooner or later.

simonw•9mo ago

Surprising that Click https://deps.dev/pypi/click/8.1.8 is listed as "license unknown" - https://pypi.org/project/click/ knows that it's BSD.

Slint: Cross Platform UI Library

AI and Education: Generative AI and the Future of Critical Thinking

Maple Mono: Smooth your coding flow

Moltbook isn't real but it can still hurt you

Take Back the Em Dash–and Your Voice

Show HN: 289x speedup over MLP using Spectral Graphs

Teaching Mathematics

3D Printed Microfluidic Multiplexing [video]

Abstractions Are in the Eye of the Beholder

Show HN: Routed Attention – 75-99% savings by routing between O(N) and O(N²)

We didn't ask for this internet – Ezra Klein show [video]

The Real AI Talent War Is for Plumbers and Electricians

Show HN: MimiClaw, OpenClaw(Clawdbot)on $5 Chips

I Maintain My Blog in the Age of Agents

The Fall of the Nerds

I'm 15 and built a free tool for reading Greek/Latin texts. Would love feedback

How close is AI to taking my job?

You are the reason I am not reviewing this PR

Show HN: FamilyMemories.video – Turn static old photos into 5s AI videos

How Meta Made Linux a Planet-Scale Load Balancer

A Turing Test for AI Coding

How to Identify and Eliminate Unused AWS Resources

A2CDVI – HDMI output from from the Apple IIc's digital video output connector

CLI for Common Playwright Actions

Would you use an e-commerce platform that shares transaction fees with users?

Show HN: SafeClaw – a way to manage multiple Claude Code instances in containers

The Future of the Global Open-Source AI Ecosystem: From DeepSeek to AI+

The Evolution of the Interface

Azure: Virtual network routing appliance overview

Seedance2 – multi-shot AI video generation