Russ Cox, who developed the dependency/package management system for Go, writes about the problems with software dependencies. A choice excerpt:
Dependency managers now exist for essentially every programming language. [...] The arrival of this kind of fine-grained, widespread software reuse is one of the most consequential shifts in software development over the past two decades. And if we’re not more careful, it will lead to serious problems.
A package, for this discussion, is code you download from the internet. Adding a package as a dependency outsources the work of developing that code [...] to someone else on the internet, someone you often don’t know. By using that code, you are exposing your own program to all the failures and flaws in the dependency. Your program’s execution now literally depends on code downloaded from this stranger on the internet. Presented this way, it sounds incredibly unsafe. Why would anyone do this?
(Score: 2) by DannyB on Saturday January 26 2019, @04:09AM
I can relate to that. I have less, I think quite a bit less, than 100 dependencies. I also am able to control which versions of which ones get in. I have the possibility to audit them if I wish. In some cases I have looked at the source code for various reasons, if nothing else, merely to study.
I would think 100 jars in java would be an astonishing number of dependencies. I would expect a few dozen to be "normal" in a program that has a LOT of sophisticated features.
People today are educated enough to repeat what they are taught but not to question what they are taught.