This is a false dichotomy.
> By not having that escape valve
Please do your research before posting. Building packages with bundled dependencies is allowed, actually.
Having a handful of small files from 3rd parties bundled in few packages is relatively harmless (if they are not security critical) and allowed.
Having 200 dependencies with hundreds of thousand SLOC creates a significant burden for security updates.
Put security-critical code in some of dependency and the burden become big. Make the dependencies unstable and it gets worse.
Now create a similar issue for many other packages doing the same and the burden becomes huge, for the whole community.
> This also encourages passive aggressive software design criticisms.
I would call it outspoken criticism of bad software design.
This is a false dichotomy.
> By not having that escape valve
Please do your research before posting. Building packages with bundled dependencies is allowed, actually.
Having a handful of small files from 3rd parties bundled in few packages is relatively harmless (if they are not security critical) and allowed.
Having 200 dependencies with hundreds of thousand SLOC creates a significant burden for security updates.
Put security-critical code in some of dependency and the burden become big. Make the dependencies unstable and it gets worse.
Now create a similar issue for many other packages doing the same and the burden becomes huge, for the whole community.
> This also encourages passive aggressive software design criticisms.
I would call it outspoken criticism of bad software design.