On Maven, I restrict packages to Spring and Apache. As opposed to NPM, where eve... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		eastbound 4 months ago \| parent \| context \| favorite \| on: Shai-Hulud malware attack: Tinycolor and over 40 N... On Maven, I restrict packages to Spring and Apache. As opposed to NPM, where even big vendors can depend on hundreds of small ones.

skydhash 4 months ago [–]

This. You would expect some of the mature packages to be quite diligent about dependencies, but they are the one pulling random stuff for a minor feature. then the transitive dependencies adds like GBs of files to your project.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact