Linux Dev Time – Episode 148

In episode 148 of Linux Dev Time, the hosts dive deep into the contentious topic of automated dependency management, focusing on GitHub's Dependabot and its impact on development workflows. They explore the criticism from Filippo Valsorda, who calls Dependabot a 'noise machine' that creates false productivity by encouraging mindless merges without critical evaluation. The panel agrees that while staying up to date with dependencies is essential for security and feature access, doing so through automated bots leads to unnecessary churn, especially in compliance-heavy environments. They advocate for a more principled approach—using tools like GoVulnCheck and RustSec to assess actual vulnerability exposure, running tests against updated dependencies in CI, and reviewing changes manually before merging. The discussion expands to include language-specific nuances: Go’s strong standard library and culture of minimalism reduce dependency bloat, while JavaScript’s lack of a robust standard library necessitates more external packages, sometimes leading to absurdities like 'is-number'. The hosts also debate version pinning, lock files, and the growing consensus to always check in lock files for reproducibility, even in libraries. They highlight the risks of uncontrolled dependency resolution, especially in older Python projects without version constraints, and praise modern tools like Poetry and UV for bringing Rust-like reliability to other ecosystems. The episode closes with a lighthearted tease about 'made-up dependencies'—a current trend in the dev community.