You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
every sub dependency you don't have direct control over is a potential vulnerable risk
Counter point: every sub dependency is a potential vulnerable risk. Possibly a worse risk, because imagine that airtap had 0 dependencies and instead had thousands of SLOC. Would any of that code get reviewed by security researchers?
You're right though that some unused code could be removed this way, and also (going back to a less extreme scenario) just by replacing certain dependencies. You're also right that it's easier to trust a single maintainer. And third, you're right that old unmaintained dependencies (which the use of CJS might suggest) can make us more vulnerable. That's me reading between the lines of what you said.
However. The problem that I think you're describing - namely having to monitor a deep dependency tree - is an application concern (note that I consider airtap to be a module even though it's a CLI). If you want control over a module, then take control. Fork it, copy it into your application, however you want, it's open source. What you can't do, is ask module maintainers to take that burden. Your choice to use airtap (in favor of doing the work yourself) is an implicit choice to do the same for the entire dependency tree. It would be unfair to say "I want the convenience of free software" without extending the same courtesy to the authors of said software.
To me, having dependencies is a sign of health. Yes, npm suffers from software rot, naturally. But monolithic software generally suffers more rot than modular software. The answer to fatigue isn't to put more work in the hands of less people. Though I'm not sure which fatigue you're referring to.
All that said, if you see an opportunity for an easy win by replacing some specific module, great, we can talk about that specific case. I'm just objecting to a somewhat vague question that seemingly asks for free research. Clarification is welcome.
PS. As for the question, when will Airtap move its internals to ESM? I honestly have no idea. There's simply no need yet (at least for the main airtap CLI) and ESM by itself has no benefits here. We will probably be forced to move to ESM if and when we decide to ditch browserify.
there are so many dependencies https://npmgraph.js.org/?q=airtapany
are there any chance to reduce it?
require more modern syntax? use ESM
help upstream packages get rid unnecessary stuff?
every sub dependency you don't have direct control over is a potential vulnerable risk
The text was updated successfully, but these errors were encountered: