Understand Your Dependencies

34•dedalus•9mo ago

Comments

recursivedoubts•9mo ago

no dependency is more understandable than the dependency that doesn’t exist

bluGill•9mo ago

That is a trade off as if you need something you either need to depend on it, or write something to do it yourself. One way you have a dependency, the other way a lot more code to maintain.

I go back and forth on what is best. I constantly hit issues that make me regret which ever choice I made for that one thing.

recursivedoubts•9mo ago

Please forward all complaints to the hospital in which you were born.

agwa•9mo ago

deps.dev does an absolutely terrible job with Go dependencies. It thinks modules are the unit of dependency rather than packages. Consequentially, it reports vulnerabilities in packages that are never even imported. For example, https://deps.dev/go/filippo.io%2Fsunlight shows a "9.1 CRITICAL" vulnerability in a supposed SSH dependency from a project that has nothing to do with SSH.

Google ought to be embarrassed by this, especially when govulncheck <https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck> exists and actually checks whether vulnerable code is reachable.

r1chardnl•9mo ago

I don't know how well this makes you understand your dependencies. As for C/C++ a lot of people probably depend on stb single header files libraries. There's stb_truetype but it specifically mentions not to use it on any untrusted/outside .ttf files which I do like but you have to keep in mind to bake to bitmaps or only use your own .ttf provided files, thus I would put this dependency in another place like tooling. Is there a way to do this in other languages like JS and NPM? Maybe carefully choosing which dependencies you include is better?

https://github.com/nothings/stb/blob/master/stb_truetype.h#L...

codr7•9mo ago

Maybe :)

Dependencies is something you learn to be VERY careful with, sooner or later.

simonw•9mo ago

Surprising that Click https://deps.dev/pypi/click/8.1.8 is listed as "license unknown" - https://pypi.org/project/click/ knows that it's BSD.

DoNotNotify is now Open Source

Dave Farber has passed away

Why E cores make Apple Silicon fast

Matchlock: Linux-based sandboxing for AI agents

Show HN: LocalGPT – A local-first AI assistant in Rust with persistent memory

Reverse Engineering Raiders of the Lost Ark for the Atari 2600

Haskell for all: Beyond agentic coding

(AI) Slop Terrifies Me

SectorC: A C Compiler in 512 bytes (2023)

LLMs as the new high level language

Rabbit Ear "Origami": programmable origami in the browser (JS)

The Architecture of Open Source Applications (Volume 1) Berkeley DB

Software factories and the agentic moment

Curating a Show on My Ineffable Mother, Ursula K. Le Guin

Modern and Antique Technologies Reveal a Dynamic Cosmos

Speed up responses with fast mode

uLauncher

Hoot: Scheme on WebAssembly

Stories from 25 Years of Software Development

The Legacy of Daniel Kahneman: A Personal View (2025)

Vocal Guide – belt sing without killing yourself

Brookhaven Lab's RHIC concludes 25-year run with final collisions

LineageOS 23.2

Wood Gas Vehicles: Firewood in the Fuel Tank (2010)

In the Australian outback, we're listening for nuclear tests

First Proof

Show HN: I saw this cool navigation reveal, so I made a simple HTML+CSS version

Start all of your commands with a comma (2009)

Substack confirms data breach affects users’ email addresses and phone numbers

Al Lowe on model trains, funny deaths and working with Disney