Question for web developers: in production environments, is it standard for you guys to use package managers (npm, yarn, whatever) that download remote code for you, that you guys depend on in your code?
I ask because, multiple times this year (most recently today), another engineer at our company has discovered for the first time how Go's dependency management/package importing works and started freaking out on Slack about it. It
is a terribly dumb system, and requires hardcoding the URL for dependencies, like so:
Code:
import "github.com/aws/aws-sdk-go"
Then when you build your code, Go's tools will go download that repo for you. I built a slightly better system on top of this where we actually version the dependencies by commit.
Anyway, this other engineer is freaking out because we depend on remote Github repositories that are not controlled by our organization. This is how our server team (working in Go) has always done things, but it's new for our application team that's used to working in C++.
My reaction is basically "this is how the entire web/Go worlds do things and the world hasn't exploded yet" (apart from that one time leftpad happened), but I figured I should make sure that this is, in fact, how the entire web world works. He's freaking out because what if someone deletes the repository?! (we have dozens of engineers with copies of it on their hard drive who can push it to our organization in the incredibly unlikely event that happens)