[erlang-questions] Patch Package OTP 21.2 Released

[Edmond Begumisa]

On Mon, 17 Dec 2018 02:21:17 +1000, Anthony Ramine <n.oxyde@REDACTED>  
wrote:

> Are you saying you don't do due diligence and just pull dependencies in  
> your project without reviewing them?
>

Certainly not.

I'm saying that when you've reviewed both your rebar3 direct dependencies  
and their deep dependencies right down to the leaves (every .erl file for  
every git URL in all the rebar.config files), it becomes increasingly more  
difficult to perform this review task when you upgrade your direct  
dependencies and they introduce new indirect dependencies and/or when you  
introduce new direct dependencies. As both the width and depth grows, at  
some point, it becomes impractical as anyone who's used Node.js with  
npm/yarn can attest (half the time you've no idea what all those js files  
NPM has pulled down are doing).

The route Anthony Ramine suggests I think is more practical. A tool that  
points you to which parts of which dependencies you need to take (another)  
look at.

- Edmond -

>> Le 14 déc. 2018 à 16:52, Edmond Begumisa <ebegumisa@REDACTED>  
>> a écrit :
>>
>> I foresee many projects looking at those warnings in the  
>> persistent_term docs and thinking "I've weighed it, and I think my  
>> project is 'special' enough to call put/1 and erase/1 a little more  
>> frequently than the documentation suggests, or have more entries than  
>> is recommended, and I have my reasons for not using ETS instead". With  
>> deep dependencies pulled down from github, this kind of thinking gets  
>> compounded and infectious.
>


-- 
Using Opera's mail client: http://www.opera.com/mail/