reckart commented on issue #161: URL: https://github.com/apache/incubator-annotator/issues/161#issuecomment-1851469244
Just my 10ct on this... I'd opt for sticking with installing dependencies when required and keeping them out of the repo - using the `package.lock` to avoid undesired changes of dependencies through people attacking upstream. Artifact repositories like pypy, npmjs or maven central are quite reliable and under normal circumstances, once something has been published there, it does not go away. Use of smaller upstream repositories that may not be as reliable, or direct dependencies on even GitHub repositories as npm allows them should imho be avoided. Unnecessary dependencies should also be avoided. I believe most of annotator's dependencies are pursuant to its build tooling. IMHO it makes no sense to keep that in the repo. But for a fully autark build that would be necessary, and then also for different platforms, etc. It is a rabbit hole. Also, having dependencies in the repo gives incentive to not upgrading them regularly, leading to dependency rot. Better update dependencies with every release (as applicable and sensible) and release regularly. If there are no releases, there is no maintenance. If there is no maintenance, a library should not be used downstream anymore. If there are no users, a reproducible build is moot. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@annotator.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
