Something like this:
try:
import requests
except ImportError:
from pip._vendor import requestsGo does this well, to the point where a lot of people in the community say "you don't need a library" for most use cases, only for e.g. database drivers. This is contrary to what a lot of developers believe, that they need e.g. a REST API library or enterprise application framework as soon as possible.
The amount of third-party (non-testing related) dependencies needed for most .NET applications is very manageable and the dependencies themselves (generally) don't come with further third-party dependencies (especially now that JSON serialisation is native).
This means that for most applications, the developers know exactly which dependencies are needed (and they are not hidden away in large folder structures either, the dlls are right next to the assembly).
We have text.json now but I still see people use Newtonsoft JSON.
There's old repo's out there that should be archived and deprecated, yet I see new games use it when the repo is very questionable with automated whitespace or comment commits to keep up the appearance that it is still being maintained[0].
Right now I'm working on a Golang project and the dependency tree is a nightmare to say the least, I hope to be able to rip out the parts I don't need and compile it without the massive bulk that I do not need.
It's very frustrating to want me to trust the author, who trust the author, who trust the author. When I doubt they even audited or looked at what they imported.
I develop as a pure amateur and there are areas I would never get into without libraries.
First are dates, it is a world of pain. Arrow is the answer (in Python)
Then HTML, another world of pain perfectly described in a Stack Overflow answer. Beautifulsoup.
HTTP is arguably easier but requests! :)
At some point there is a risk assessment to do and one should make decisions based on that. Kudos for having gone that way yourself!
I go out of my way to avoid Javascript. Because in all my years of writing software, it has 100% of the time been the root cause for vulnerabilities. These days I just use LiveView.
I'm actively moving away from Node.js and JavaScript in general. This has been triggered by recent spike in supply chain attacks.
Backend: I'm choosing to use Golang, since it has one of the most complete standard libraries. This means I don't have to install 3rd party libraries for common tasks. It is also quite performant, and has great support for DIY cross platform tooling, which I anticipate will become more and more important as LLMs evolve and require stricter guardrails and more complex orchestration.
Frontend: I have no real choice except JavaScript, of course. So I'm choosing ESBuild, which has 0 dependencies, for the build system instead of Vite. I don't mind the lack of HMR now, thanks to how quickly LLMs work. React happily also has 0 dependencies, so I don't need to switch away from there, and can roll my own state management using React Contexts.
Sort of sad, but we can't really say nobody saw this coming. I wish NPM paid more attention to supply chain issues and mitigated them early, for example with a better standard library, instead of just trusting 3rd party developers for basic needs.
Go isn't immune to supply chain attacks, but it has built in a variety of ways of resisting them, including just generally shorter dependency chains that incorporate fewer whacky packages unless you go searching for them. I still recommend a periodic skim over go.mod files just to make sure nothing snuck in that you don't know what it is. If you go up to "Kubernetes" size projects it might be hard to know what every dependency is but for many Go projects it's quite practical to know what most of them are and get a sense they're probably dependable.
[1]: https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck - note this is official from the Go project, not just a 3rd party dependency.
Ok, but it has 112 devDependencies, I'm not really sure "0 dependencies" best describes React.
Also I checked how many deps vuejs has, also 0.
If leftpad, electron, Anthropic, Zed, $shady_library$ gonna help developers beat that obstacle, they'll do it instantly, without thinking, without regret.
Because an app is not built to help you. It's built to make them monies. It's not about the user, never.
Note: I'm completely on the same page with you, with a strict personal policy of "don't import anything unless it's absolutely necessary and check the footprint first".
Yet, I'm not obliged to deliver anything to anyone. I'll develop the tool up to the point of my own needs and standards. I'm not on a time budget, I don't care.
Yes, I personally try to reach to the level of best ones out there, but I don't have a time budget. It's a best effort thing.
I generally judge whether I allocate time for something or not depending on the utility and general longevity of the tool. I hack high utility / short life tools, but give proper effort to long life tools I need. As a side-effect, a long life tool can start very crude and can develop over time to something more polished, making its development time pretty elastic and effort almost negligible on the long run.
For me shipping time is both very long (I tend to take notes and design a tool before writing it), yet almost instant: when I decide that the design is enough for V1, I just pull my template and fill in the blanks, getting a MVP for myself. Then I can add missing features one at a time, and polish the code step by step.
Currently I'm contemplating another tool which is simple in idea, but a bit messy in execution (low level / system programming is always like that), but when it's design is over, the only thing I'll do it is to implement it piece by piece, without no time crunch, because I know it'll be long-living tool.
I can time-share my other hobbies, but I have a few of them. I do this for fun. No need to torture myself. And, I can't realize my all ideas. Some doesn't make sense, some doesn't worth it, some will be eclipsed by other things.
That's life, that's fine.
at least, that's my attitude on it :shrugs:
That's exactly what I'm talking about. The end desire is money, not something else. Not users' comfort, for example. That B2B platform is present because everyone wants money.
Most tools (if not all) charge for services not merely for costs and R&D, but also for profit. Profit rules everything. Users' gained utility (or with the hip term "value") is provided just for money.
Yes, we need money to survive, but the aim is not to survive or earn a "living wage". The target is to earn money to be able to earn more monies. Trying to own all.
This is why enshittification is a thing.
Then you have the user is the product the customer is the advertiser situation. You please the customer enough to have a product to sell to advertiser.
And this before we even touch deceipt. E.g. lying to the customer to make more money.
companies work for their shareholders
kinda
they work for where the power lies. even shareholders get fucked too.
I think maybe the pendulum needs to swing back a little to being very selective about adding dependencies and expecting releases to be stable for the long term. Users shouldn't have to worry about needing to hack around code that was written just 3-4 years ago.
You find a C or fortran library that hasn't been touched in 20 years and (sometimes) it's just because it's complete and there hasn't been any reason to update any parts of it. You can just add it to your project and it will build and be usable immediately. I wish we had more of those.
I agree that I wouldn't roll my own crypto, but virtually anything else? I'm pretty open.
When I was doing Perl more I actually highly liked the Mojolicious module for precisely this reason. It had very few external dependencies beyond Perl standard libs and because of this it was possible to use it without needing to be plugged into all of CPAN.
But with the libraries it provided on its own, it was extremely full featured, and it was otherwise very consistent with how you'd build a standard Web app in basically any modern language, so there was less of an issue with lockin if you did end up deciding you needed to migrate away.
I don't know many people who have shit on Java more than I have, but I have been using it for a lot of stuff in the last year primarily because it has a gigantic standard library, to a point where I often don't even need to pull in any external dependencies. I don't love Oracle, but I suspect that at least if there's a security vulnerability in the JVM or GraalVM, they will likely want to fix it else they risk losing those cushy support contracts that no one actually uses.
I've even gotten to a point where I will write my own HTTP server with NIO (likely to be open sourced once I properly "genericize" it). Admittedly, this is more for pissy "I prefer my own shit" reasons, but there is an advantage of not pulling in a billion dependencies that I am not realistically going to actually audit. I know this is a hot take, but I genuinely really like NIO. For reasons unclear to me, I picked it up and understood it and was able to be pretty productive with it almost immediately.
I think a large standard library is a good middle ground. There's built in crypto stuff for the JVM, for example.
Obviously, a lot of projects do eventually require pulling in dependencies because I only have a finite amount of time, but I do try and minimize this now.
The answer is no, obviously I could use Jetty or Netty or Vert.x and have done all of those plenty of times; of course any of those would require pulling in a third party dependency.
And it's not like the stuff I write performs significantly better; usually I get roughly the same speed as Vert.x when I write it.
I just like having and building my own framework for this stuff. I have opinions on how things should be done, and I am decidedly not a luddite with this stuff. I abuse pretty much every Java 21 feature, and if I control every single aspect of the HTTP server then I'm able to use every single new feature that I want.
I think the continuous churn of versions accelerates this disregard for supply chain. I complained a while back that I couldn't even keep a single version of Python around before end-of-life for many of the projects I work on these days. Not being able to get security updates without changing major versions of a language is a bit problematic, and maybe my use cases are far outside the norm.
But it seems that there's a common view that if there's not continually new things to learn in a programming language, that users will abandon it, or something. The same idea seems to have infected many libraries.
It's cause they have no standard library.
Maybe you're referring to Javascript? Javascript lacks many "standard library" things that Nodejs provides.
The scarier case is Dependabot opening a "patch bump" PR that probably gets merged because everyone ignores minor version bumps.
sudo curl URL | bashThis means the attack can be "invisible", as a cursory glance at the output of the curl can be misleading.
You _have_ to curl with piping the output into a file (like | cat), and examine that file to detect any anomaly.
That sounded really interesting, so I looked it up and found this article from 2016 if anyone else is interested: https://web.archive.org/web/20250622061208/https://www.idont...
This is the best reason for letting users install from npm directly instead of bundling dependencies with the project.
Though plenty of orgs centralize dependencies with something like artifactory, and run scans.
Note that the above probably isn't 100% answerable. However it needs to be the goal. A few people need to care and take care of this for everyone. Few needs to be a large enough to not get overwhelmed by the side of the job.
Those projects typically rely on an external package manager to handle their dependencies for them. Apt, yum, etc. Otherwise you end up in dependency hell trying to get ./configure to find the development headers of whatever it needs. I don't miss those days. Rust/Cargo is a godsend.
I think it would be hard to get any kind of usable capability system without algebraic effects like those of Koka or Scala libraries.
EDIT: Apparently Security Managers are deprecated and slated for removal.
Even if they did, unless the project locked all underlying dependencies to git hashes, all it takes is a single update to one of those and you’re toast.
That’s why things like Dependabot are great.
Go has its opinions and I don't agree with many of them, but the upstream packages combined with golang.org/x allow you to build pretty much anything. And I really like the community that embraced a trend of getting close to zero dependencies for their projects and libraries.
The only dependency I usually have for my projects are C binding or eBPF related. For most of the other parts I can just choose the stdlib.