I don’t dispute that external dependencies have advantages (yay, code I don’t have to write, or maintain!) but the idea that it only has one disadvantage is very naive.
Many organisations and people have strong requirements – including legal and statutary requirements – regarding the software they use. They may need to audit the software for quality, copyright and trademarks. They may have strict legal or corporate requirements for what they can use, with a long, slow and expensive (in both time and manpower) processes for getting external software approved.
Typically, such organisations may have already approved “the Python standard library” as an approved dependency (if they haven’t, they won’t be using Python and we don’t care about them!) but any external third-party library may be simply too hard to get approved.
As a project manager, you don’t control external dependencies. You can’t control API changes or set the priority of upgrades and bug fixes. You have to work around their timetable.
External dependencies can be taken away by legal (copyright and trademark disputes), or even if the developer in charge has a fit of pique.
The Javascript/Node.js community has a culture of heavy reliance on external dependencies, with predictable results, not just leftpad but others. Protestware can easily become malware.
Some Node developers talk about needing to rewrite projects after just 18 months due to the bitrot of external dependencies.
Fortunately the Python community does not have the same extreme culture of using external dependencies for trivial functions like leftpad, but the risks still exist.
I’m not saying these problems are insurmountable, but they are problems that need to be managed:
- External code repos are a target for attackers.
- Sometimes the maintainer of the package is the attacker. The next protestware that intentionally deletes files may target your country, not Russia.
- Every external dependency is another point of failure for your project.
- External dependencies run to their timetable, not yours.
- And then there are dependency conflicts.
If the costs of external dependencies are less than the benefits, for you and your projects, then that’s great! But not everyone has the same cost/benefit tradeoff.
There is another class of people who cannot easily use external dependencies. Even in 2022, there are many people in the world who do not have cheap, easy, fast and reliable internet access. Access to external dependencies can be restricted or blocked, either by your own country or by Github themselves. Many schools and businesses prohibit the installation of “unauthorized software” on their machines.
Whether due to economics or politics or some other reason, the ability to just run pip install ... is not a universal privilege.