Dependabot neither supports pnpm nor yarn:

The intention from GitHub is clear, Microsoft acquired npm and the fancy new supply-chain-security is just a lousy way of walling people inside the ecosystem.

GitHub is great, github.dev is amazing, VS Code is sick. But no, this one guy of Isaac Schlueter makes me hate this whole supply chain.

pnpm, renovatebot and GitLab: I choose you!

  • 0
    Despite company policy, dependapot's suggestions this year have been even more dangerous than some suggested "fixes" by npm audit, so if there is one thing I learned about automated updates this year: better do it manually and use your own brain.
  • 4
    The cringe...

    While I think that NPM is a broken concept in itself (and thus every package manager that follows the concept), the GitHub messages can be summed together:

    No. Conspiracy!
    Want want want want want (childish tantrums).
    Want even more - VSCode has it!!!
    Gimme gimme gimme gimme gimme!!!!!

    Really love the kindergarten.
  • 0
    @IntrusionCM go to any social platform and scroll down one single screen, you'll see an Ad that you'll never care but you have to see it. Now look at those npm audit warnings, feels familiar? It's some kind of funneling.

    If you're starting to worry they're gonna somehow monetize this once the funneling is established, let me tell you one more thing.

    Right before the Microsoft acquisition, npm launched the "npm fund" feature. Isaac's intention is always so clear, lack of sugarcoating and yet so poorly executed.
  • 0
    @vicary this is completely utter nonsense.

    I have an aggregator to collect RSS feeds for all kind of software and blog...

    HAProxy, FreeDesktop, Planet MariaDb. MariaDB itself, Postgres, Planet Postgres and so on (there are I think hundreds of links... I never counted them, it's very strictly sorted).

    Software needs updates.

    Depending on what the changelog / release notes give, they need it _asap_ or later.

    I spoke of NPMs broken concept earlier... NPM has not one, but a multitude of different versions of each package. To "simplify" package management.

    Which is a completely broken thing to do... For exactly the reason you mentioned. The security holes, especially through transitive dependencies, now grow exponentially thx to simplification. What was a burden became now a black box. Tools like npm audit don't fix this, as you cannot fix the concept. Most cases it might work, but in many cases it's either total far off the track (e.g. stating design decision which are documented like evaluating input) or breaks the whole packaging (eg. changing core libs and everything goes down the drain).

    This is not a conspiracy though.

    This is just a broken concept which made no sense in the beginning.

    Packaging is _hard_. Like fucking hard. Be it transitive dependencies, incompatibilities, language specifics, versioning. It's just fucking hard.

    To think you can have an easy way out by duplicating versions and cheating was the dumbest design decision imho one could make.

    There is only one way to deal with upgrades. Give proper release notes and changelogs, with proper migration notices. And fucking do it then.

    Keeping software out of date and then wondering why jumping 4-5 major versions is a PITA cause everythings changed is _your own fault_.
Add Comment