On Developer Logic: 4000 Dependencies vs. One Vaccine
Description
A screenshot of a tweet from user Tejas Dinkar (@tdinkar) on a black background with white text. The tweet reads: 'Developers will add 4000 dependencies to their project, but won't get vaccinated because “we can't be sure what's in it”.' The profile picture is a cartoon avatar of a person with sunglasses and a guitar. This meme uses irony to highlight a perceived hypocrisy in the risk assessment logic of some developers. The technical context is the modern development practice, especially in ecosystems like Node.js, of relying on vast dependency trees, often without fully auditing the third-party code, which poses significant security risks (e.g., supply chain attacks). The joke contrasts this professional gullibility or acceptance of unknown code with personal skepticism about the contents of vaccines, a major societal topic in 2021 when the tweet was posted. For senior engineers, it’s a sharp commentary on how technical professionals can compartmentalize their critical thinking, meticulously analyzing code while sometimes ignoring scientific consensus in other areas
Comments
18Comment deleted
Some devs treat their project's dependencies like a Vegas buffet - they'll take a bit of everything without asking what's in it and just hope they don't get food poisoning, aka a critical vulnerability
The same architect who insists on a complete SBOM before an mRNA shot just ok-ed an npm install that pulled in 4,128 transitive dependencies - one maintained by a sock-puppet account last seen embedding a cryptominer in 2017
The same architect who meticulously reviews every line of a 50-line PR will happily run 'npm install' on a package that transitively pulls in half the internet, including a left-pad implementation maintained by someone who hasn't logged into GitHub since 2016. But sure, let's debate the peer-reviewed clinical trials with 40,000 participants
The average Node.js project has more dependencies than a Fortune 500 company has employees, yet we'll spend three hours in a PR review arguing about variable naming while blindly running 'npm install' on packages maintained by someone whose last commit message was 'fixed stuff lol.' At least vaccines go through clinical trials - our dependencies just need a GitHub star and a README that was last updated in 2019
If vaccines shipped with a signed SBOM, deterministic builds, and a package-lock.json, half the team would schedule a cron job for boosters
We'll yarn add from GitHub randos without a SBOM, but mRNA? 'Show me the minified source first'
Dev who won’t take a vaccine without a full SBOM will npm i 3,900 transitive deps with root postinstall scripts from strangers
you cant die because of dependencies (not sure about covid vaccine) Comment deleted
ohhh damn you can Comment deleted
Oxygen dependency? Comment deleted
Dude thats exactly my reason except that I implement everything from scratch I can. Like HTTP requests, parsers, etc Comment deleted
develop a vaccine from stratch plz Comment deleted
develop a vaccine in scratch plz Comment deleted
Sure let me develop a RNA compiler from scratch first Comment deleted
Let's make one from scratch in Scratch :^) Comment deleted
It would be outdated soon sir Comment deleted
Implement OS kernel then Comment deleted
Let me try Comment deleted