undefined | Better HN

0 pointsavereveard5y ago0 comments

I agree on "not maven fault" but I don't find that much bureaucracy insane, for one changing dependencies on a mature java project doesn't happen that often, and for another knowing licensing, possible patent violation and a scan against a known vulnerabilities database is not a bad thing to do and it's normal for it to take some time as it passes hand between different people, after all you don't want devs working on licensing and you don't want to waste legals just to run a package trough vuln scans software.

beside, companies that care usually also have a database of previously cleared packages, so one can reduce one own work/delays by picking from the approved deps list.

0 comments

eitland5y ago

50 hours pr top level dependency not once or twice or ten times but every time does however sound like something "cache-like" is missing on the human level?

avereveardOP5y ago

true I was reasoning more on the 4 hour per package, which is in line. but you're right for sure the unique dependency graph can't be averaging that high

j / k navigate · click thread line to collapse

0 pointsavereveard5y ago0 comments

beside, companies that care usually also have a database of previously cleared packages, so one can reduce one own work/delays by picking from the approved deps list.

0 comments

eitland5y ago

50 hours pr top level dependency not once or twice or ten times but every time does however sound like something "cache-like" is missing on the human level?

avereveardOP5y ago

true I was reasoning more on the 4 hour per package, which is in line. but you're right for sure the unique dependency graph can't be averaging that high

j / k navigate · click thread line to collapse