I tried stylix out today and came to an issue? I'm somewhat concerned about. The flake introduces quite a lot of dependencies, some of these dependencies have quite little attention like:
| Repo |
Stars |
Last Update |
| tomyun/base16-fish |
37 |
5y ago |
| SenchoPens/fromYaml |
3 |
2y ago |
and that in itself is no problem at all, but it just means, if these dependencies end up for some reason compromised, and the flake lock is updated as a whole, these changes might go unnoticed and end up in the stylix project (not necessarily executed, but might be possible if the respective modules are used) which could be kinda disastrous.
So imo it should be an aim to reduce the dependencies by a lot, incorporating the respective code into stylix itself (obviously in accordance with their project licenses). As there seem to be anyway little updates to the 2 repos i mentioned as example this doesn't seem like a big problem to me.
I tried stylix out today and came to an issue? I'm somewhat concerned about. The flake introduces quite a lot of dependencies, some of these dependencies have quite little attention like:
and that in itself is no problem at all, but it just means, if these dependencies end up for some reason compromised, and the flake lock is updated as a whole, these changes might go unnoticed and end up in the stylix project (not necessarily executed, but might be possible if the respective modules are used) which could be kinda disastrous.
So imo it should be an aim to reduce the dependencies by a lot, incorporating the respective code into stylix itself (obviously in accordance with their project licenses). As there seem to be anyway little updates to the 2 repos i mentioned as example this doesn't seem like a big problem to me.