Ah, that would address most of my concerns. I’ll leave this to you all to discuss then
Okay, so no changes for the end users is just fine with me and others.
So, what benefits do composer, npm, and webpack bring to the developer(s)?
I am not trying to be irritating here, I am genuinely interested in seeing good arguments for and against.
I have a development problems… I know, I will use
$new_tech… Now I have three problems:
$new_tech, a slew of dependencies, and my original one.
NPM and Webpack are out of the question, so I’ll just advocate for composer:
From a developer perspective it takes more time to manually manage extensions than to do it with a dependency manager. To the extreme you could compare it to using “linux from scratch” or Debian. If there’s a security problem you have to manually get the code and fit it into your project. When you use package-management you just run
apt update or
composer update respectively. Thinking of the days and weeks I spent on manually doing stuff in Linux in the mid-90s, I’m certainly glad to have package-management now and glad that other OSs (like iOS, Android, OSX, Windows) adopted something similar (appstores).
@fox says he only wants to update when there’s a security shitstorm. There’s a free (for OSS projects) composer service that notifies you when one of your dependencies needs a security update (for github users it even creates pull-requests).
Just for fun, I just tried switching my tt-rss install to composer autoloading. It was a one-line-change. So it’s not like a deep cut into the app or something.
Let’s say that I update tt-rss using
git up but do not run
composer update (or whatever)… So, now my dependencies are out of date, potentially wrong, and maybe insecure. Do I have to have to check security updates for all the dependencies of tt-rss? …
Or is this just development side and whatever is in the tt-rss repo is all I need?
Exactly. It’s just on the developer site. You should never run
composer update. If a developer wants the users to run composer, they shouldn’t run
composer update, either. The should only run
composer install which will only install the dependency versions the developer has decided on.
Your post got me into the new forum.
I figured that any post title “Modernizing the codebase / codestructure” would be entertaining to read… It was entertaining but I confess I miss the old fox.
Now please fork off and go write some code. If you actually produce some new functionality people might pay attention to you.