Re: Why Bloat Is Still Software’s Biggest Vulnerability
Richard (Rikki) Andrew Cattermole
richard at cattermole.co.nz
Tue Feb 13 00:56:08 UTC 2024
On 13/02/2024 6:30 AM, H. S. Teoh wrote:
> No amount of D innovation is going to stop programmers infected with the
> madness of dynamic remote dependencies that pull in an arbitrary number
> of external modules. Potentially a different set of them every time you
> build. Tools like cargo or dub actively encourage this model of software
> development.
>
>
> Which is utterly crazy, if you think about it. Unless you pin every
> dependency to exact versions (who even does that?!), every time you
> build your code you're potentially getting a (subtly) different set of
> dependencies. That means the program you've been trying to debug 5 mins
> ago may not even be the same program you're debugging now. Now of course
> it's possible to turn off this behaviour while debugging, but still, the
> fact that that's the default behaviour is just nuts.
What? Dub doesn't upgrade dependencies for you without you asking for it.
It either has to be missing, or you ran ``dub upgrade``.
To prevent that being an issue long term, you can vendor your cache into
your repository. ``dub build --cache=local``. Unfortunately you have to
provide that on cli every time.
There are solutions here for those who care about it. If you don't care
about it, of course it isn't a solved problem.
More information about the Digitalmars-d
mailing list