You realize that my dependency stack contains about 2500 dependencies right? If they all follow this model I’m looking at $90k/year just to contribute to a project.
> You realize that my dependency stack contains about 2500 dependencies
That is amazing: when I was younger, sharing code was a goal, but absolutely nothing could prepare me for your world. Previously I have had the luck to be able to rewrite a lot from scratch, removing most runtime dependencies, although definitely not replacing build dependencies.
I imagine auditing for security, and managing dependency upgrades, must both be onerously expensive time sinks?
I imagine auditing for security, and managing dependency upgrades, must both be onerously expensive time sinks?
Modern devs don't care. They just install whatever, let it pull in 1000s of other packages, and continue on their merry way.
Meanwhile, a package you use today, can root your stuff tomorrow. That is, next update and bam!
Package was sold to Evil Entity, or just the dev decides to rm your drive based upon geo location.
I get paid a lot to cleanup much of this mess, and while tools such as composer and node.js are useful, they are a horrible, horrible security risks.
If you use node or composer, be prepared for dozens of updates weekly. Each update risk laden, and feature and security fixes all mashed into one.
On a large project, you'd need multiple devs, just to audit all the change.
But as you will soon see, there will be all sorts of $reasons given, which all lack understanding of how traditional Linux distros handle updates, and boil down to "not my problem" or "someome else magically makes it safe!"
Have an unobvious copyright condition, get your code in thousands of projects, then spider the internet looking for companies that use your code, and charge them a $1000 “licensing fee”.
Or change the copyright in v1.1.2.2 and wait until everyone updates, and do the same thing.
> Modern devs don't care
I think the “modern” is superfluous and vaguely insulting: security isn’t/wasn’t cared about by most old-skool developers either!
Do you PR or raise an issue to every package you use? You can still use 2500 different packages for free. This seems like a good example how it would work well.
My point is that you are taking their point too literally.
Also, the business model is paying a subscription for the right to submit a pull request. Sure, you could wait until you are about to make the PR to buy the subscription, but that's a pain of its own.
Their point here is that this isn't a scalable business model. That's the assertion that started this whole comment thread.
To contribute to 2500 projects yes it would cost that. Otherwise your current rights or license that lets you use those dependencies already should be fine.
If we got subscription to dependencies, we would get only 3 or 5 deps, only required app to run. No more `is-array` like deps. Adding a new one would be deeply thought and reviewed.
You realize that my dependency stack contains about 2500 dependencies right? If they all follow this model I’m looking at $90k/year just to contribute to a project.