[erlang-questions] Patch Package OTP 21.2 Released
Edmond Begumisa
ebegumisa@REDACTED
Sun Dec 16 20:44:22 CET 2018
On Mon, 17 Dec 2018 02:21:17 +1000, Anthony Ramine <n.oxyde@REDACTED>
wrote:
> Are you saying you don't do due diligence and just pull dependencies in
> your project without reviewing them?
>
Certainly not.
I'm saying that when you've reviewed both your rebar3 direct dependencies
and their deep dependencies right down to the leaves (every .erl file for
every git URL in all the rebar.config files), it becomes increasingly more
difficult to perform this review task when you upgrade your direct
dependencies and they introduce new indirect dependencies and/or when you
introduce new direct dependencies. As both the width and depth grows, at
some point, it becomes impractical as anyone who's used Node.js with
npm/yarn can attest (half the time you've no idea what all those js files
NPM has pulled down are doing).
The route Anthony Ramine suggests I think is more practical. A tool that
points you to which parts of which dependencies you need to take (another)
look at.
- Edmond -
>> Le 14 déc. 2018 à 16:52, Edmond Begumisa <ebegumisa@REDACTED>
>> a écrit :
>>
>> I foresee many projects looking at those warnings in the
>> persistent_term docs and thinking "I've weighed it, and I think my
>> project is 'special' enough to call put/1 and erase/1 a little more
>> frequently than the documentation suggests, or have more entries than
>> is recommended, and I have my reasons for not using ETS instead". With
>> deep dependencies pulled down from github, this kind of thinking gets
>> compounded and infectious.
>
--
Using Opera's mail client: http://www.opera.com/mail/
More information about the erlang-questions
mailing list