People just blindly load code written by some rando and set it to auto-update?
Kind of yes and no.
For one, there are actually really useful bots out there that apply a dependency's recent update, run the tests, and create PR. This requires me to click "merge pull request" manually, so not fully automated.
On the other hand, there are tutorials written without a package.json, so they say import X from'x'; import Y from'y' but x and y were versions 2.13 and 4.11 at the time, but a fresh install yields 2.40 and 10.5, and you have no idea why the tutorial isn't working unless you already know too much to need a tutorial.
Also IMHO yarn and npm both kind of don't really work 100% correctly in regards to installs and lock files, unless they fixed it very recently.
Also IMHO yarn and npm both kind of don’t really work 100% correctly in regards to installs and lock files, unless they fixed it very recently.
Yarn and NPM are still like the second most broken package ecosystem after Python and maybe Go (haven't checked on that one in awhile but it was super fucky 6 or 7 years ago)
Kind of yes and no.
For one, there are actually really useful bots out there that apply a dependency's recent update, run the tests, and create PR. This requires me to click "merge pull request" manually, so not fully automated.
On the other hand, there are tutorials written without a package.json, so they say
import X from 'x'; import Y from 'y'but x and y were versions 2.13 and 4.11 at the time, but a fresh install yields 2.40 and 10.5, and you have no idea why the tutorial isn't working unless you already know too much to need a tutorial.Also IMHO yarn and npm both kind of don't really work 100% correctly in regards to installs and lock files, unless they fixed it very recently.
Yarn and NPM are still like the second most broken package ecosystem after Python and maybe Go (haven't checked on that one in awhile but it was super fucky 6 or 7 years ago)