While I love postgres, I take issue with coupling too much application logic to the DB. It’s much easier to update/rollback stateless containers/cloud functions/VMs than to recover a DB.
I agree that it seems very improbable. The only possible malicious scenario I can imagine is that the Github repo is clean, but npm creds have been compromised.
It's so hard to triage this when no justification has been provided for the advisory. Was the GHSA released in response to npm pulling the package, or vice versa?
Many suggestions for workarounds, but if the GHSA is indeed accurate (all versions affected) then that seems unwise.
No-code platforms are really DSLs wrapped in a nice UI. No-code platforms that are more open and developer focused typically let you actually dump out the app as a big bundle of config/DSL (e.g. a custom JSON format).
Maybe using LLMs to generate DSL code will produce better (and more maintainable) results than fully-fledged languages?
Agreed. Try inheriting a project that hasn’t been updated for a few years. Between the absolute dependency hell, and major breaking changes, there is huge temptation to just rewrite the whole thing.
Even a basic application requires layers upon layers of dependencies. Many of them are not as mature as people like to think either.
Also are you applying migrations with CREATE OR REPLACE etc? I find that much harder to collaborate on than just standard code.