undefined | Better HN

Skip to content

Top New Best Ask Show Jobs

0 pointstzs2mo ago0 comments

Or find the best third party library and copy the code from a widely used version that has been out long enough to have been well tested into your source tree.

The problem is not third party libraries. It is updating third party libraries when the version you have still works fine for your needs.

0 comments

4 comments · 1 top-level

estebank2mo ago· 3 in thread

Don't do this. Use a package manager that let's you specify a specific version to pin against. Vendoring side steps most automated tooling that can warn you about vulnerabilities. Vendoring is a signal that your tooling is insufficient, 99% of the time.

gjadi2mo ago

Vendoring means you don't have to fetch the internet for every build, that you can work offline, that you're not at the mercy of the oh-so-close-99.999 availability, that it will keep on working in 10 years, and probably other advantages.

If your tooling can pull a dependency from the internet, it could certainly check if more recent version from a vendored one is available.

everforward2mo ago

This is only true if you aren’t internally mirroring those packages.

Most places I’ve worked have Artifactory or something like it sitting between you and actual PyPI/npm/etc. As long as someone has pulled that version at some point before the internet goes out, it’ll continue to work after.

estebank2mo ago

Is there any package manager incapable of working offline?

j / k navigate · click thread line to collapse