Socket moves beyond JavaScript and Python and gets into Go Open source security biz Socket is extending its source code dependency checker, which previously addressed only JavaScript and Python, by adding support for checking Go code. As it announced a $20 million round of Series A funding, the security shop has had a busy week with three additions to its code's toolkit: Full …
The image of the analysis of bobjoll is quite terrible.
One item mentions the package is malware, but theres no reason or links to support their statement.
The last item mentions the package is unpopular and then rates it as a quality problem. Quality and popularity are not the same thing or a measure of either. Its if bad quality, show a REAL analysis of said packages problems.
Surely they could pick a better example of the value their product brings, random numbers and colours are hardly professional.
From this sample i highly doubt their scores or analysis are worth anything, might as well shoot at darts at a board and read those scores.
"Applications just use so many dependencies, it boggles the mind."
And yet rather than actually solve the problem, the industry seems happy to encourage ever deeper dependency trees and throw money at attempting to handle the inevitable fallout.
What happened to doing proper software engineering?
I'm not sure what the ideal solution is. Modern software is complex, but you don't want to reinvent the wheel all the time, so you pull in ready made modules.
Sure, a given package may be overkill and may include more functionality than you strictly need. How many development hours are you willing to spend to trim a few MB from the size of your application? How many new and interesting bugs will your implementation have versus the existing one?
The big problem is that each of those relatively small modules adds up, and we get the bloated software we live with today.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
