> Why are these threads filled with people who know nothing about node?
That’s a quite bad assumption from your part based on almost no information.
I don’t know about the rest of the thread but I’m personally quite familiar with node. A lock file doesn’t fix the same issues vendoring does. The lock file gives you an explicit list of version used, vendoring save the exact copies of the dependency with the rest of your code.
By vendoring anyone who is working on the project is using the exact same version of a dependency, AND you don’t have to care about an external provider (the registry being up, etc, that’s way easier for you CI too), AND you can review dependencies upgrade via git as if it was your code.
Of course that’s a mess when the JavaScript ecosystem has an infinite amount of dependencies for a hello world.
That’s a quite bad assumption from your part based on almost no information.
I don’t know about the rest of the thread but I’m personally quite familiar with node. A lock file doesn’t fix the same issues vendoring does. The lock file gives you an explicit list of version used, vendoring save the exact copies of the dependency with the rest of your code.
By vendoring anyone who is working on the project is using the exact same version of a dependency, AND you don’t have to care about an external provider (the registry being up, etc, that’s way easier for you CI too), AND you can review dependencies upgrade via git as if it was your code.
Of course that’s a mess when the JavaScript ecosystem has an infinite amount of dependencies for a hello world.