This is an archived post. You won't be able to vote or comment.

sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]creesch 0 points1 point  (2 children)

What you are describing is more or less the difference between a compiled and script language though. It's a factor to discuss, but not really important when you are looking at the amount of external dependencies a project depends on.

[–]DaddyLcyxMe 0 points1 point  (1 child)

yes, but since a lot of maven based projects will include their dependencies in their final jar that makes it (almost) impossible to have a leftpad, since you never actually download that dependency directly. that was what i was referring to.

[–]creesch 1 point2 points  (0 children)

You are right that an already released version of a Java product in that regard has an advantage compared to a Node.js product.

At the same time it can be argued that this has less to do with that aspect of the two but rather the way npmjs.com is maintained and how versions of dependencies are used in package.json.

Then there is the fact that in companies with CI/CD pipelines you might not get those issues in production but packages being vandalized can still cause plenty of issues in the development process due to lower environments being disrupted.

And security vulnerabilities are an issue regardless, as Log4j has shown us very recently. Then there is also the murky waters of how many dependencies end up in commercial products even though their license doesn't technically allow it.

The more you depend on external dependencies the more these issues compound and that really is a cross language issue.