dependency management problems are a thing irrespective of the license of those dependencies. nobody anywhere is writing assembly code entirely on their own, even then you depend on a compiler. every software project has dependencies. it's a problem solved by version pinning. i can't believe a tech writer wrote this?
@feld @Gargron I have used it on various production systems for years so that I choose when and how to manage the complexity of upgrading a dependency instead of the dependency authors choosing. It means I can finish out some feature branch before getting into upgrade work. Or, even better, several developers on active feature branches don't all have to figure out a version upgrade just to get the project to build.
@clacke @feld @Gargron Exactly. What we need, and really don't quite have yet (in general) is a way for a person or organization to subscribe to the changelogs of the dependency-tree-assuming-you-were-to-update.
I keep thinking about building this, and what it would require. And first, uh... it would require people to keep changelogs. 😭
@skellat @clacke @feld @Gargron meh. Point taken, but you're going to have that problem no matter what, and there are relatively simple solutions to it. Mirroring the parts of the npm registry you depend on, for example.
npm also changed its policies after that so an incident like that can't happen in the future.