moq VS GORM

Moq’s prior version, 4.18.4, free of the exfiltration behavior, accounts for 6,765,006 downloads in the past six weeks, demonstrating the potential blast radius of privacy breach if a developer hadn’t noticed the issue and raised it with the community.

In light of the Moq issue yesterday[0] I'm interested to understand why the consensus seems to be so in favor of keeping packages up-to-date in software.

The common explanation I see is it "keeps you up to date with security and bug fixes".

But in practice this seems to just involve most orgs mandating Dependabot and mindlessly updating every dependency when a new version becomes available. (Yes in an ideal world you code review every change in every dependency, but... I mean, let's be real here. Just take the update frequency of the AWS SDK packages in isolation, very few orgs are actually doing this)

As a maintainer of an open source library I know most releases are a crapshoot, they're just as likely to contain new bugs and flaws as they are to fix old ones.

So staying up-to-date seems to open up codebases to far greater risks than outdated dependencies:

1) Zero days, a new package launches with some critical security flaw that isn't going to get noticed for some time.

2) Supply chain attacks, old packages are generally immutable. Therefore most supply chains attacks seem to involve take-overs of existing package (name)s by disgruntled or new hostile 'maintainers'. The new versions are far more at risk.

3) New bugs, the dirty truth of OSS is most work is done by unpaid people with little time or ability to focus. Most software isn't formally verified. New updates are a risk.

In addition the old version is a known quantity. Unless you know absolutely the version you are running is compromised (log4j, OpenSSL) what benefits does updating actually bring? The default presumption that version number goes up is better seems like yet more security/compliance cargo cult behavior.

What am I missing here?

[0] https://github.com/moq/moq/issues/1374

NSubstitute is good, I used it at a previous job.

I've favored Moq in the past because I think there are a couple of things it makes a bit easier or is a bit less opinionated about, but NSub is perfectly cromulent as well.

Someone posted a quick guide to migrating a bunch of it easily in one of the issues in the Moq repo discussing this whole mess: https://github.com/moq/moq/issues/1374#issuecomment-16712411...

Moq was is a popular .NET mocking library that has accumulated over 475.7 million downloads as of now.

Going by reports in the releated Github issue Moq does not let users opt out of this privacy-invading data collection: https://github.com/moq/moq/issues/1372

This is sad. Moq was my favorite mocking framework in .net. I will not be using it moving forward and if I had any projects using it I'd rip it out ASAP.

GORM is a comprehensive ORM tool in Go, offering a code-first approach which allows defining database schemas using struct tags in Go. It's known for its developer-friendly nature, making it suitable for both beginners and experienced users. GORM supports a variety of SQL databases like MySQL, PostgreSQL, and SQLite. It's designed to be flexible, allowing developers to drop down to raw SQL when necessary. However, it's important to be cautious about its performance implications in large-scale applications.

Homepage: https://gorm.io/

Since most of these APIs will be simple CRUD (Create/Read/Update/Delete) endpoints, let's build this service using GORM, an ORM library that makes building CRUD endpoints really simple.

After successfully configuring the application, it's time to delve into integrating the data layer. For this purpose, I will utilize gorm, a powerful SQL ORM that facilitates rapid development of the data layer using model structs.

For basic INSERT ... VALUES ... or SELECT ... WHERE ... JOIN ..., use a library such as GORM. For INSERT .... SELECT ... statements where one combines two round trips (SELECT and INSERT) into one, ORMs have a hard time performing this query. Particularly when you start doing joins. Joins are the heart of Relational database theory (they denote relationships). So get to know what an INNER, LEFT, RIGHT and OUTER join is and why you would use them. Also learn INSERT ... SELECT ...

I have never hated gorm and it serves me well. However I tend to feed it raw SQL very often.

Array of values with embedded value all pointed to the last value, reflect code was broken: https://github.com/go-gorm/gorm/pull/5901 data corruption