undefined | Better HN

0 pointsjoshstrange4mo ago0 comments

> Version locking wont help you all the time, i.e. if you build fresh envs from scratch.

I'm confused on this. I would imagine it would protect/help you as long as releases are immutable which they are for most package managers (like npm).

> Vendoring literally just means grabbing the source code from origin and commit it to your repo after a review.

Hmm, I don't think it always necessarily means grabbing the source, it can also mean grabbing the built artifacts in my experience.

My biggest issue with vendoring dependencies is it allows for editing of said dependencies. Almost everywhere I've worked that vendored dependencies (copied source or built versions in and committed them) felt the siren song of modifying said dependencies which is hell to deal with later.

0 comments

Yokohiii4mo ago

You are right about version locking, bullshit on my side, not sure what I was thinking.

I personally don't have a problem with the general ability to change vendor code. The question is whether you want it in an specific case or not. If you update frequently then certainly not. But that decision should be deliberate team policy.

joshstrangeOP4mo ago

> I personally don't have a problem with the general ability to change vendor code. The question is whether you want it in an specific case or not. If you update frequently then certainly not. But that decision should be deliberate team policy.

Fair, in the instances I ran into it was code that was downloaded and unzipped into a "js-library-name" folder but then the code was edited, even worse, the `.min.js` version wasn't touched, just the original one which led to some fun when someone "helpfully" switched to the min versions that didn't have the edit. IMHO, if you want to edit a library then you should be forking and/or making it super obvious that this is not "stock" library X. We also ran into issues with "just updated library Y" and only later realizing someone had modified the older version.

But yes, if it's deliberate and obvious then I don't have an issue modifying, just as long as the team understands it's "their" code now and there is no clean upgrade path in the future.

Yokohiii4mo ago

I'd require vendor code being committed to git and integrated into the CI/CD pipeline. It should be treated as if you own it, just with a policy whether you want to change it or not.

The difficulty to make changes obvious is same for forks and vendored commits, imho. You can write big warnings in commit messages, that's it I guess. Which kind of boils down to deliberate team policy again. But I generally prefer monorepos for various reasons.

j / k navigate · click thread line to collapse

0 pointsjoshstrange4mo ago0 comments

> Version locking wont help you all the time, i.e. if you build fresh envs from scratch.

I'm confused on this. I would imagine it would protect/help you as long as releases are immutable which they are for most package managers (like npm).

> Vendoring literally just means grabbing the source code from origin and commit it to your repo after a review.

Hmm, I don't think it always necessarily means grabbing the source, it can also mean grabbing the built artifacts in my experience.

0 comments

Yokohiii4mo ago

You are right about version locking, bullshit on my side, not sure what I was thinking.

joshstrangeOP4mo ago

But yes, if it's deliberate and obvious then I don't have an issue modifying, just as long as the team understands it's "their" code now and there is no clean upgrade path in the future.

Yokohiii4mo ago

I'd require vendor code being committed to git and integrated into the CI/CD pipeline. It should be treated as if you own it, just with a policy whether you want to change it or not.

j / k navigate · click thread line to collapse