reckart
commented
9 months ago Just my 10ct on this...
I'd opt for sticking with installing dependencies when required and keeping them out of the repo - using the package.lock to avoid undesired changes of dependencies through people attacking upstream.
Artifact repositories like pypy, npmjs or maven central are quite reliable and under normal circumstances, once something has been published there, it does not go away. Use of smaller upstream repositories that may not be as reliable, or direct dependencies on even GitHub repositories as npm allows them should imho be avoided.
Unnecessary dependencies should also be avoided.
I believe most of annotator's dependencies are pursuant to its build tooling. IMHO it makes no sense to keep that in the repo. But for a fully autark build that would be necessary, and then also for different platforms, etc. It is a rabbit hole.
Also, having dependencies in the repo gives incentive to not upgrading them regularly, leading to dependency rot.
Better update dependencies with every release (as applicable and sensible) and release regularly.
If there are no releases, there is no maintenance. If there is no maintenance, a library should not be used downstream anymore. If there are no users, a reproducible build is moot.
mrcolbyrussell
tilgovi
Describe the refactoring action
Pull request #157 closed issue #154 to simplify the build process by using npm instead of yarn for fetching dependencies.
The current state of the project is described in the README "dependencies are automatically installed as part of the build[...]
npm run build-- builds the project".Not requiring a separate step to fetch dependencies isn't a bad affordance for people who want to be able to get annotator built with a single command after cloning, but it is inconvenient wrt other scenarios in the fact that getting all the code is itself not a single step—you fetch part of the code when you clone the repo and then the rest of it (i.e. the dependencies) right before build. This is not unusual for npm-based projects, but it is inconvenient all the same (and unnecessary).
Rather than requiring folks who are merely building annotator fetch dependencies on top, we can dictate that maintainers be responsible for fetching them (at the same time they're that they're affirming, after a package has been changed upstream, that its newest release releases does in fact comprise part of a platform on which annotator can be built).
Expected benefit
Being able to build offline—as long as you've already cloned the repo, then you have what you need to build the project (common expectation up until ~10 years ago, when people started making build scripts hit the network to dynamically fetch other pieces).
Reproducible builds—under the status quo, a developer may successfully build and deploy annotator and then at some later point another developer (or the same person, even) might check out the exact same tag/branch/commit and not be able to successfully complete the build because a dependency has changed upstream. (package-lock.json tries to solve this, but it doesn't, and it's just one big attempt to work around the fact that
npm installand similar workflows are designed to keep people from being able to get dependencies at the same time that they're getting the application code.)See also: