A static archive of Markus Tacker's tweets. Follow me on Mastodon: @[email protected].
In addition dependencies can be pinned (e.g. using @pikapkg's
https://www.skypack.dev/) but this means dependency and security monitoring
tools like @snyksec face entirely new challenges,
they need to discover dependencies now directly from source files.
And what about our beloved package-lock.json? It guarantees that all
dependencies and sub-dependencies are installed with a specific version, which
ensures that everyone building and executing the code gets a specific state (see
@ReproBuilds). #ESM only pins the top-level.
It's a classical IT development: progress on one axis (improves developer UX,
decreases JS payload size and time to interaction on user side) but at the same
time creates new challenges (or resurfaces old).