It's time to sandbox the software ecosystem

It's time to sandbox the software ecosystem

There is something notable about software development culture. Having recently watched The Code Report about a fresh new web framework on a fresh new runtime, as mentioned in the comments there, we have moved from PHP+jQuery to fully dynamic SPA:s, and seemingly back again.

In a similar vein, programmers have gone from command line-loving basement dwellers to hipster rockstars, and now back to some modern, shaped up version of the former, that loves over-engineered solutions and spending 25 hours a day delving into every single detail of the hoops you have to jump through to get something working, as well as comparing all these frameworks. And as soon as they grasp the concept, they excitingly reinvent the wheel, adding to the already bizarre amount of libraries and packages.

Unfortunately they do this without long-term thinking, as we can surely see by the amount of libraries and frameworks that ends up abandoned or decidedly "not such a good idea" by consensus, after a brief period of time.

For example, which validation library should I use? Joi, Zod, Ajv or Yup? They all look similar, do similar things, have a similar API, similar sponsors, similar documentation, and a similar list of similar companies using them. I don't want to spend my days digging through these or every other part of the project that needs a library. It's so rare that these are new problems. There should already be an effective, established general solution, and all that the library programmers would have to do is to port it to their favorite language and platform. But following a dry specification is tedious compared to the fun part of letting your imagination break the mould, so "I want to use my own ideas!" the nerd youthfully exclaims, while writing yet another HTTP client.

There's nothing wrong with that as a learning process, but what's happening in the development world is turning into navel-gazing and a waste of time and money. We code mainly for others, and others usually pay us for doing a good job in good time. Reinventing wheels is not included in that. Therefore, the nerds need a wake-up call. A way to do this could be for the package managers to have a sandbox and strict version control. This is the message you should get when you've uploaded a package:

"Thanks for your contribution! You're gonna be in this hidden section for some time, whether you're backed by Facebook or not. The only way for the public to use your library in the first year is by adding some complicated flags to their project, which should be no problem for configuration-loving nerds. Warnings will be displayed when doing that, of course. Our AI will also link your project to similar, public ones, and also to the closest related standard, with helpful suggestions how you can adhere closer to it. After a year, if you're still around and decide to publish, your API must be set to version 1.0.0+, and if you break it, you're back in the sandbox."

Who will answer to this call? I can't myself unfortunately, I'm stuck being a human API decoder and comparer of frameworks...