
Ask HN: Should you vendor in dependencies instead of using a package manager? - lawa
So I came across this comment recently (https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=10604168) through a blog post (Dan Luu&#x27;s post on monolithic version control: https:&#x2F;&#x2F;danluu.com&#x2F;monorepo&#x2F;).<p>Some cursory googling shows that a lot of the internet really hates vendoring (the first hit on a very neutral search like &#x27;vendoring dependencies&#x27; tells me it is &#x27;evil&#x27;), but at the same time giant companies like Google most definitely vendor in all their dependencies (and AFAIK, build everything from source).<p>So as a discussion point...
1) Should we vendor in our dependencies? Is there a point&#x2F;size of company&#x2F;size of codebase at which it starts making sense?
2) Have you ever experienced a catastrophic versioning error that actually caused some monetary damage?
3) What were your experiences with vendoring? Was it worth the effort?
======
dozzie
For building your software and its deployment you should actually use package
manager instead of vendoring and package manager. That is, a binary package
manager (e.g. APT or Yum) with properly prepared source packages (ones that
never touch network while being built).

