What do people think about Pants in general shaving off some

Question

What do people think about Pants in general shaving off some of its third party dependencies Even though the dep set is already small and from trusted libraries seeing an attack like this after another attack last week has made me sour on third party deps Plus they increase the install time for Pants <https www bleepingcomputer com news security popular coa npm library hijacked to steal user passwords |https www bleepingcomputer com news security popular coa npm library hijacked to steal user passwords >

hundreds-father-404 · Answer

I know lockfiles help a lot to reduce the risk of supply chain attacks

hundreds-father-404 · Answer

Some of our deps seem too hard to replace like PyYAML but others seem reasonable like ansicolors vendor what we use and setproctitle do it in rust

hundreds-father-404 · Answer

Not necessarily that this is high priority thanks to lockfiles and the set being small But curious the general direction to go

witty-crayon-22786 · Answer

on the python side i d like to reduce deps for purely practical reasons i expect that it will make it easier to statically link

witty-crayon-22786 · Answer

in general though i m not sure there are any good rules of thumb we can follow beyond be thoughtful about taking on deps

witty-crayon-22786 · Answer

the rust crate ecosystem makes it very hard to abstain

bitter-ability-32190 · Answer

Vendoring deps helps and usually most python libs have permissive licenses

bitter-ability-32190 · Answer

Additionally JS TS seems more of a target than Python not that is an excuse not to care

witty-crayon-22786 · Answer

we haven t taken a swing at it recently but the medium term ambition is <https github com pantsbuild pants issues 7369>

bitter-ability-32190 · Answer

Yeah I m subscribed to that thread VERY excited to see progress nerd face

witty-crayon-22786 · Answer

the PyOxidizer maintainer has been making steady progress so it s likely due for another attempt

flat-zoo-31952 · Answer

gt Vendoring deps helps and usually most python libs have permissive licenses Vendoring deps exposes you to CVEs discovered after you copy the source into your code unless you re very proactive about backporting fixes to your vendored fork Lockfiles + cautiously optimistic upgrades powered by things like dependabot is probably a safer route

flat-zoo-31952 · Answer

The NPM ecosystem is a bigger threat to this but that just seems to be because they make a tiny little package for everything in that world and the stdlib is so weak that even those little packages tend to have tons of transitive deps so it s very easy to end up dragging in something bad

bitter-ability-32190 · Answer

172 700 weekly downloads of `is even` <https www npmjs com package is even>