Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Question: can airtap reduce javascript fatigue? #333

Open
jimmywarting opened this issue Sep 24, 2023 · 1 comment
Open

Question: can airtap reduce javascript fatigue? #333

jimmywarting opened this issue Sep 24, 2023 · 1 comment

Comments

@jimmywarting
Copy link

jimmywarting commented Sep 24, 2023
edited

there are so many dependencies https://npmgraph.js.org/?q=airtapany
are there any chance to reduce it?

require more modern syntax? use ESM
help upstream packages get rid unnecessary stuff?

every sub dependency you don't have direct control over is a potential vulnerable risk
@vweevers
Copy link
Member

every sub dependency you don't have direct control over is a potential vulnerable risk

Counter point: every sub dependency is a potential vulnerable risk. Possibly a worse risk, because imagine that airtap had 0 dependencies and instead had thousands of SLOC. Would any of that code get reviewed by security researchers?

You're right though that some unused code could be removed this way, and also (going back to a less extreme scenario) just by replacing certain dependencies. You're also right that it's easier to trust a single maintainer. And third, you're right that old unmaintained dependencies (which the use of CJS might suggest) can make us more vulnerable. That's me reading between the lines of what you said.

However. The problem that I think you're describing - namely having to monitor a deep dependency tree - is an application concern (note that I consider airtap to be a module even though it's a CLI). If you want control over a module, then take control. Fork it, copy it into your application, however you want, it's open source. What you can't do, is ask module maintainers to take that burden. Your choice to use airtap (in favor of doing the work yourself) is an implicit choice to do the same for the entire dependency tree. It would be unfair to say "I want the convenience of free software" without extending the same courtesy to the authors of said software.

To me, having dependencies is a sign of health. Yes, npm suffers from software rot, naturally. But monolithic software generally suffers more rot than modular software. The answer to fatigue isn't to put more work in the hands of less people. Though I'm not sure which fatigue you're referring to.

All that said, if you see an opportunity for an easy win by replacing some specific module, great, we can talk about that specific case. I'm just objecting to a somewhat vague question that seemingly asks for free research. Clarification is welcome.

PS. As for the question, when will Airtap move its internals to ESM? I honestly have no idea. There's simply no need yet (at least for the main airtap CLI) and ESM by itself has no benefits here. We will probably be forced to move to ESM if and when we decide to ditch browserify.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jimmywarting @vweevers