Maybe this is a case where having a centralized registry does pay off?
Yea, I think a mitigation that could work would be to select which package to download using the author’s name and the package’s name
So like install zenith391/zgt
would be enough to prevent most problems
the typo shadowing was one thing, but bigger part is why does a library about decimal math need internet or file system access??? as long as our computer systems are designed to hand out privliged access willynilly things like this are gonna happen.
how do i install libs on zig
There’s no official package manager yet, although there are some very good options developed by the community like zigmod and gyro. You can also add dpendencies manually via the robust Zig build system, covered most excellently in this series.
that’s a good point imo, for example golang has a (almost) fully decentralized package system and this doesn’t seem to happen too often I think partially because package names are fully qualified