[erlang-questions] Patch Package OTP 21.2 Released
Edmond Begumisa
ebegumisa@REDACTED
Sun Dec 16 20:53:44 CET 2018
On Mon, 17 Dec 2018 05:44:22 +1000, Edmond Begumisa
<ebegumisa@REDACTED> wrote:
> On Mon, 17 Dec 2018 02:21:17 +1000, Anthony Ramine <n.oxyde@REDACTED>
> wrote:
>
>> Are you saying you don't do due diligence and just pull dependencies in
>> your project without reviewing them?
>>
>
> Certainly not.
>
> I'm saying that when you've reviewed both your rebar3 direct
> dependencies and their deep dependencies right down to the leaves (every
> .erl file for every git URL in all the rebar.config files), it becomes
> increasingly more difficult to perform this review task when you upgrade
> your direct dependencies and they introduce new indirect dependencies
> and/or when you introduce new direct dependencies. As both the width and
> depth grows, at some point, it becomes impractical as anyone who's used
> Node.js with npm/yarn can attest (half the time you've no idea what all
> those js files NPM has pulled down are doing).
>
> The route Anthony Ramine suggests I think is more practical.
Correction: The route Michael Truog suggests!
> A tool that points you to which parts of which dependencies you need to
> take (another) look at.
>
> - Edmond -
>
>>> Le 14 déc. 2018 à 16:52, Edmond Begumisa <ebegumisa@REDACTED>
>>> a écrit :
>>>
>>> I foresee many projects looking at those warnings in the
>>> persistent_term docs and thinking "I've weighed it, and I think my
>>> project is 'special' enough to call put/1 and erase/1 a little more
>>> frequently than the documentation suggests, or have more entries than
>>> is recommended, and I have my reasons for not using ETS instead". With
>>> deep dependencies pulled down from github, this kind of thinking gets
>>> compounded and infectious.
>>
>
>
--
Using Opera's mail client: http://www.opera.com/mail/
More information about the erlang-questions
mailing list