Vincent Bernat dijo [Wed, Sep 02, 2015 at 09:47:23AM +0200]: > If you talk about uglifyjs or the like, it is already packaged and > doesn't solve all the problems we have (see my message to Odyx, > <m337yyylr4....@neo.luffy.cx>). > > If you talk about Grunt, Grunt comes with a lot of plugins (and does > almost nothing without those) and each upstream will require different > plugins with different versions (Grunt plugin versions are evolving > fast). See the tree I posted for jQuery 3.x in > <m3y4gwnern....@neo.luffy.cx>. All this dependency chain is maintained > by a variety of upstreams with different release schedules and goals.
This sounds quite similar to the situation we had with Rails (might still have it, but I cannot say for sure, as I'm not much involved with it anymore). Rails packages a set of Ruby libraries, each of which has its schedule and versions. Rails' developers "curate" such libraries, write some glue between them (sometimes even take over their whole development), and come up with "versions". Those versions have a stable set of libraries presented together. Of course, that does not (completely) solve the mess we have to deal with when packaging Ruby, as each developer wants her code to work with wildly differing versions of the involved "gems", and... and... Sigh :-) You know what I mean. But anyway — Grunt can be seen as a whole. If you just see it as a collection of plugins, packaging them becomes just a pointless PITA. We just cannot have different versions of hundreds of projects in Debian and expect to maintain a decent code quality. Bad Things (i.e. software vulnerabilities) can and will happen, and as Neil Williams mentioned earlier on this thread, keeping track of all those embedded code copies becomes an exponentially hard task.