1. 7
  1. 12

    After reading this through, I’m not convinced it isn’t satire.

    1. 1

      It has to be. I’ve never seen someone say they intentionally don’t version any of their software.

    2. 8

      The title could be changed to “Dependency management considered harmful”. The author doesn’t really call out anything specific to Go’s modules.

      1. 1

        I can understand liking $GOPATH. I can understand not liking some (or even all) of the decisions that went into go modules - which apparently the author does vigorously.

        But if they want to avoid go modules they are in for a bad time.

        1. 1

          I expressly reject [that the go command shouldn’t start using newer versions of my dependencies until asked] as expressly harmful and something I do not want. Any Go software I maintain should use the latest dependencies independent of my involvement or approval.

          I don’t see why the author considers this a useful stance — it expands the burden of maintenance¹, opens up an entire class of arbitrary code execution security issues, and exposes your software to breaking changes.

          I think pinned dependencies are valuable. When $THING was working yesterday and it’s broken today, knowing that I don’t need to do forensic accounting of dependencies to eliminate whether a third-party’s code shifted under me due to something silly like a fresh deploy pulling in new dependency versions.


          ¹: unbounded support and on the developer’s part is implied. Let’s complete the sentence: “[a]ny Go software I maintain should use the latest dependencies [automatically]”… and if any issues arise from that I will intervene in a timely manner.