paulmillr
commented
3 weeks ago Adding dependency to save 500 bytes is not worth it.
Inlining all the way.
Closed steida closed 3 weeks ago
paulmillr
commented
3 weeks ago Adding dependency to save 500 bytes is not worth it.
Inlining all the way.
steida
commented
3 weeks ago OK, but it's your dependency, so I don't understand why it should be a problem. Anyway, it was just an idea. Feel free to ignore it.
paulmillr
commented
3 weeks ago Imagine all packages incorporate utils tomorrow:
^1.0.0). However, doing so would increase risk of supply chain attacks. Badly published utils will be able to break all dependants at onceSo, overall, brings too much complexity. 500 bytes is not a huge deal.
steida
commented
3 weeks ago utils will need to be constantly updated
That's okay, IMHO.
someone using hashes v1.7 which depend on utils v1.0.0. the same person is using ciphers v1.1 which depend on utils v1.1.0. The person will have two utils, duplicated.
That's expected.
How can duplication be prevented?
No need to do that. That's the feature, not a bug.
What I wanted to say. Each lib can and shall have fixed dependencies, so there is no need to use the last one.
I'm just brainstorming. I thought it would be easier for you to have a single source of truth. But I understand that could lead to a dangerous zone - a monorepo 😂, because with dependencies, you would need a changeset for releasing.
I understand your hesitations; it was just an idea.
I suppose it should be one library to save some bytes when people use both @noble/ciphers and @noble/hashes. Thank you very much for your work.