> Dependency management is a major cornerstone of any infosec program. There is more to that than just auto-installing a new dependency version.
We seem to agree? I said check. It’s very useful to have something tell you what’s out of date and what the updates are.
> Because a large dependency graph is slow, insecure, and fragile.
I asked “what”, not “why”. What is enforcing this idea you have of how Deno will be used? I feel like you want it to not be used with lots of dependencies, thus aren’t accounting for how to handle them. However, just because that’s the desired way to use it doesn’t mean it will be used that way. Lots of dependencies may end up still becoming the norm, at which point you’ll wish you would have more clearly defined how it should be done instead of letting the first third party solution win (as ended up happening with npm).
We seem to agree? I said check. It’s very useful to have something tell you what’s out of date and what the updates are.
> Because a large dependency graph is slow, insecure, and fragile.
I asked “what”, not “why”. What is enforcing this idea you have of how Deno will be used? I feel like you want it to not be used with lots of dependencies, thus aren’t accounting for how to handle them. However, just because that’s the desired way to use it doesn’t mean it will be used that way. Lots of dependencies may end up still becoming the norm, at which point you’ll wish you would have more clearly defined how it should be done instead of letting the first third party solution win (as ended up happening with npm).