Disappointed to see so many knee-jerk reactions to this. Vendoring dependencies is a simple way to ensure consistent build inputs, and has the bonus effect of decreasing build times.

To respond the two major criticisms:

1) “It takes a lot of space”

Don’t be so sure. Text diffs and compresses well. I have a 9-year old Node repo that I’ve been vendoring from the beginning and it’s only grown 200MB over that time. (Granted, I’m fairly restrained in my use of dependencies. But I do update them regularly.)

But even if it does take a lot of space… so what? If your dependencies are genuinely so huge that this is a problem, then vendoring may not be right for you. But you could also use one of the many techniques for managing the size of your repo. Or just acknowledge that practices are contextual, and there’s no such thing as “best practice”—just a bunch of trade-offs.

2) “It doesn’t work well with platform-specific code”

This can cause some pain if you’re in a multi-platform environment. The way I deal with it (in Node) is by installing modules with --ignore-scripts, comitting the files, running “npm rebuild”, and then adding whatever shows up to .gitignore. I have a little shell script that makes this easier.

This is only an issue for modules that have a platform-specific build, which I try to avoid anyway. But when it comes up, it can be a pain in the butt. I find its pain to be less frequent and more predictable than the pain that comes from not vendoring modules, though, so I put up with it.

Bonus) “It’s not best practice”

Sez who? Dogma is for juniors. “Best practices” are all situational, and the only way to know if a practice is a good idea is to examine its tradeoffs in the context of your situation.

No, thank you. But I suspect people would still accept and use that tech just like they have accepted always-online/always-listening digital assistants.

Just imagine the possibilities of large-scale manipulations, tho!

shii...strap a tube to my arm and hit me with that mamba juice. be flying for hours...

or more likely arrested for animal abuse, but hey, imagine being the cool druggie who can get high and defend his territory with a snake. this under-bridge be mine.

JavaScript can certainly be awesome, but the tricks that JSFuck relies on aren't "flexible". They're things that make you say "Wat?"

https://www.destroyallsoftware.com/talks/wat