> The fine granularity of dependencies that package managers have facilitated has made air-gapped devlopment logistically very difficult. And it makes safety or security certifications impossible.
Vendoring is kind of a pain. You start with a tomlnthat has everything you think you'll need then you grab all that, run it by legal and the it team and copy it over. You find a new dependency and start again.
Before package managers you ended up with giant pseudo stdlib libraries like boost or eigen and you only needed a tiny piece but once you brought it over you had it all, and it had no sub dependencies to worry about. Monolithic was easier from a lot of standpoints. Crates.io is exactly what I'd want if I wasnttroo worried about safety or security. It is far more productive. But if you make software that other companies use to help make themselves secure, then you are wearing a bullseye these days and it is kind of your job to be paranoid about deep dependency trees.
Maven and NuGET, specially the ability to ship binary libraries (including C and C++ ones), and have internal company repos where only IT and Legal vetted libraries are made available.
Cargo has a vendor feature: https://doc.rust-lang.org/cargo/commands/cargo-vendor.html
Is there some language ecosystem that is better?