Some of the criticisms contain a kernel of truth, but that kernel is wrapped in a bitter shell of entitlement and mean spiritedness.
The Bottom Line
YOU are responsible for your app’s dependencies.
“You” here includes you personally, your team, and your company. It does not include OSS volunteers. It does not include other companies and their developers that contribute to OSS.
You made a choice to depend on a new, unproven library. When the API of that new, unproven library turns out to be unstable, and you have to undergo a rewrite, guess what? That’s your problem.
Libraries can be liabilities as well as assets. This is a basic software fact. Part of your job as a developer is to assess and mitigate risk. If you don’t like the churn rate of a library’s API, don’t depend on it. Yes, it’s hard keeping up with best practices in a chaotic ecosystem, but that’s why you get paid well.
If someone else on your team is making bad decisions about dependencies, speak up. Be a voice of reason.
npm install hairball
Here are some questions to ask before adding a library to your dependencies:
- Is the library battle tested?
- Is its API stable?
- How does its code smell?
- Is it backed by a community of developers that help maintain it?
- Is it backed by stable organization? Is that organization known for responsible OSS stewardship?
- Is it small enough that none of the other questions matter?
There’s plenty more you could ask. The point is: do your due diligence. If you decide to gamble, own it. Take responsibility.
React Router and Me
I’ve been developing production React apps for two years. I still use a tiny, homegrown router, which works just fine. When React Router came out, I looked at it, weighed its value against its apparent complexity, and decided to hold off.
After a while, new versions came out with nifty features (async routes, transitions). But the API smelled funny to me, and had not settled, so I continued to wait. I implemented routing features ad hoc in my own code bases. Hacks were made, but they were isolated.
I am not Nostradamus. I just did my homework. I remain hopeful a routing solution will be found by the community. When it does, I will jump on board, and I will be grateful to the developers that volunteered their time. Until then, I’m avoiding the risk.
One of the reasons I was willing to give React a try early on, besides the fact that I liked its functional approach, was that Facebook had a policy of using their open source libraries in production. They are wary of open sourcing anything that has not passed muster.
To be clear: developers that release libraries and then iterate the API in public do not deserve personal scorn for doing so. Let’s be decent humans. Strong opinions can be held and expressed without hostility.