Kerta Consulting
All posts

AI · Field Notes

'Don't Roll Your Own' Was Always About Cost

The rule every programmer learns - don't reinvent the wheel - was economics, not craft. This year both numbers moved: building your own got cheap, and borrowing got dangerous.

15 Jul 20263 min read

A few years ago the .NET world had a small earthquake. Moq - one of the most widely used testing libraries in C#, the thing that fakes out your dependencies so you can unit-test the rest - shipped a release that quietly harvested developer email addresses at build time and phoned them home. Not an attacker. The maintainer himself. I had it in my projects. So did half of .NET.

The uproar was immediate and the change was pulled within days, but a lot of us never fully trusted the package again - plenty of teams ripped it out for good. What stuck with me wasn't the email-harvesting. It was the thing underneath it: I had handed a stranger a standing key to run code on every machine that built my project, and I'd never once thought of it as a decision.

Because the advice had always pointed the other way. Every programmer absorbs it early: don't roll your own, don't reinvent the wheel. If a library solves it, use the library - it's tested, maintained, someone smarter already handled the edge cases. For most of my career that was simply correct. But that advice was never really about craft. It was about cost - the cost of building versus the cost of borrowing. And lately both numbers have moved, in opposite directions.

Borrowing got more dangerous. Moq was a maintainer having a bad idea; the newer pattern is worse. This month Jscrambler - a company whose whole business is JavaScript security - had its npm package poisoned by an outside attacker. That's a supply-chain attack: someone slips malicious code into a package thousands of projects pull in automatically, so it rides through your front door with your own trusted tools. This one ran the instant you installed it, before your app even started, hunting for cloud keys, crypto wallets, and - tellingly - the config files of AI coding tools like Claude and Cursor. Caught in six minutes. Which didn't help anyone who updated inside those six minutes.

Building your own, meanwhile, got cheap. I've called AI an infinite tap of perfect packages - hand it the problem and a clean, bespoke version pours out the moment you need it. Follow that one step further than I did last time: if the tap gives me exactly what I need, fitted to my code, I often don't need the third-party dependency at all. No maintainer to trust. No transitive tree of a hundred packages I'll never read. Just mine.

"Don't reinvent the wheel" was never about the wheel. It was about cost - and the cost just moved.

I'm not overselling this. I'm not tearing out React or writing my own crypto - some wheels are load-bearing and battle-tested and you'd be a fool to reforge them. But the long tail of little utilities, the one-function packages that drag in a hundred others you'll never read? That trade looks worse every month, and more and more I just write them myself.