Understand Your Dependencies

34•dedalus•9mo ago

Comments

recursivedoubts•9mo ago

no dependency is more understandable than the dependency that doesn’t exist

bluGill•9mo ago

That is a trade off as if you need something you either need to depend on it, or write something to do it yourself. One way you have a dependency, the other way a lot more code to maintain.

I go back and forth on what is best. I constantly hit issues that make me regret which ever choice I made for that one thing.

recursivedoubts•9mo ago

Please forward all complaints to the hospital in which you were born.

agwa•9mo ago

deps.dev does an absolutely terrible job with Go dependencies. It thinks modules are the unit of dependency rather than packages. Consequentially, it reports vulnerabilities in packages that are never even imported. For example, https://deps.dev/go/filippo.io%2Fsunlight shows a "9.1 CRITICAL" vulnerability in a supposed SSH dependency from a project that has nothing to do with SSH.

Google ought to be embarrassed by this, especially when govulncheck <https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck> exists and actually checks whether vulnerable code is reachable.

r1chardnl•9mo ago

I don't know how well this makes you understand your dependencies. As for C/C++ a lot of people probably depend on stb single header files libraries. There's stb_truetype but it specifically mentions not to use it on any untrusted/outside .ttf files which I do like but you have to keep in mind to bake to bitmaps or only use your own .ttf provided files, thus I would put this dependency in another place like tooling. Is there a way to do this in other languages like JS and NPM? Maybe carefully choosing which dependencies you include is better?

https://github.com/nothings/stb/blob/master/stb_truetype.h#L...

codr7•9mo ago

Maybe :)

Dependencies is something you learn to be VERY careful with, sooner or later.

simonw•9mo ago

Surprising that Click https://deps.dev/pypi/click/8.1.8 is listed as "license unknown" - https://pypi.org/project/click/ knows that it's BSD.

OpenCiv3: Open-source, cross-platform reimagining of Civilization III

The Waymo World Model

How we made geo joins 400× faster with H3 indexes

A century of hair samples proves leaded gas ban worked

Monty: A minimal, secure Python interpreter written in Rust for use by AI

Show HN: Look Ma, No Linux: Shell, App Installer, Vi, Cc on ESP32-S3 / BreezyBox

Dark Alley Mathematics

Show HN: I spent 4 years building a UI design tool with only the features I use

Microsoft open-sources LiteBox, a security-focused library OS

Show HN: If you lose your memory, how to regain access to your computer?

Sheldon Brown's Bicycle Technical Info

Hackers (1995) Animated Experience

PC Floppy Copy Protection: Vault Prolok

Show HN: ARM64 Android Dev Kit

An Update on Heroku

Female Asian Elephant Calf Born at the Smithsonian National Zoo

Delimited Continuations vs. Lwt for Threads

Show HN: R3forth, a ColorForth-inspired language with a tiny VM

How to effectively write quality code with AI

Introducing the Developer Knowledge API and MCP Server

I spent 5 years in DevOps – Solutions engineering gave me what I was missing

Learning from context is harder than we thought

Understanding Neural Network, Visually

I now assume that all ads on Apple news are scams

FORTH? Really!?

I'm going to cure my girlfriend's brain tumor

Evaluating and mitigating the growing risk of LLM-discovered 0-days

WebView performance significantly slower than PWA

How virtual textures work

Show HN: Smooth CLI – Token-efficient browser for AI agents