NPM package that does nothing accidentally removed, breaks shit AGAIN
-
For a few minutes today the package "fs" was unpublished from the registry in response to a user report that it was spam. It has been restored. This was a human error on my (@seldo's) part; I failed to properly follow our written internal process for checking if an unpublish is safe. My apologies to the users and builds we disrupted.
More detail: the "fs" package is a non-functional package. It simply logs the word "I am fs" and exits. There is no reason it should be included in any modules. However, something like 1000 packages do mistakenly depend on "fs"
-
-
Again, this would not happen if NPM used a proper relational database to track packages and dependencies. It would be literally impossible to delete a package where other packages exist that depend on it.
I failed to properly follow our written internal process for checking if an unpublish is safe.
...which is precisely why it should be done with referential integrity rather than a checklist that a fallible human has to follow. This is already a solved problem, but people too trendy to use SQL keep screwing it up.
-
10,577 downloads in the last day
-
@bb36e said in NPM package that does nothing accidentally removed, breaks shit AGAIN:
10,577 downloads in the last day
fun fact: even if you install the package you have to do real shenanigans to require it as
require('fs')
will always prioritize a core package namedfs
over a NPM installed package.
-
@bb36e said in NPM package that does nothing accidentally removed, breaks shit AGAIN:
However, something like 1000 packages do mistakenly depend on "fs"
I wish they instead depended on “ffs” as that'd be far more suitable for reality.
-
@bb36e It's pretty much always a braindead n00b mistake: "I need to use the fs package here. Oh, before I require a package I have to npm install it."
-
I'm not a JS developer, but from reading such news I wonder: why don't they have unstable / stable branches or something like that?
-
@Grunnen said in NPM package that does nothing accidentally removed, breaks shit AGAIN:
I'm not a JS developer, but from reading such news I wonder: why don't they have unstable / stable branches or something like that?
That sort of thinking is why you arn't a JS developer. They don't allow your kind.
-
@Grunnen most libraries and frameworks are pre-alpha, JavaScript actually has issues correctly representing the version numbers because IEEE 754 floats lose precision once the magnitude gets small enough
-
@Dragoon said in NPM package that does nothing accidentally removed, breaks shit AGAIN:
That sort of thinking is why you arn't a JS developer. They don't allow your kind.
Unstable or bust.
-
@bb36e well, integers up to 250 should be fine. I don't think people need more for a version number.
-
@bb36e said in NPM package that does nothing accidentally removed, breaks shit AGAIN:
@Grunnen most libraries and frameworks are pre-alpha, JavaScript actually has issues correctly representing the version numbers because IEEE 754 floats lose precision once the magnitude gets small enough
Representing versions as floats?
-
Oh well tbh that is what we get paid for is solving this shit.
-
@pydsigner how else are we supposed to encode the version in JSON?
-
@pydsigner said in NPM package that does nothing accidentally removed, breaks shit AGAIN:
Representing versions as floats?
That's almost as bad as representing an amount of money as a float.
-
@asdf I for one use multiple dot versions.
-
@Grunnen When the major version number is 0, that is "unstable". When the major version number is greater than 0, that is "stable".
-
@pydsigner speaking of version numbers:
http://www.tex.ac.uk/FAQ-TeXfuture.html
Knuth has declared that he will do no further development of TeX; he will continue to fix any bugs that are reported to him (though bugs are rare). This decision was made soon after TeX version 3.0 was released; at each bug-fix release the version number acquires one more digit, so that it tends to the limit π (at the time of writing, Knuth’s latest release is version 3.1415926). Knuth wants TeX to be frozen at version π when he dies; thereafter, no further changes may be made to Knuth’s source. (A similar rule is applied to MetaFont; its version number tends to the limit e, and currently stands at 2.718281.)
-
@LB_ said in NPM package that does nothing accidentally removed, breaks shit AGAIN:
@Grunnen When the major version number is 0, that is "unstable". When the major version number is greater than 0, that is "stable".
I'm not sure what the middle number is for, but the first number changes when you break something on purpose and the last number changes when you break something by accident.
-
@ben_lubar said in NPM package that does nothing accidentally removed, breaks shit AGAIN:
@LB_ said in NPM package that does nothing accidentally removed, breaks shit AGAIN:
@Grunnen When the major version number is 0, that is "unstable". When the major version number is greater than 0, that is "stable".
I'm not sure what the middle number is for, but the first number changes when you break something on purpose and the last number changes when you break something by accident.
Lol.
Well said.
-
@LB_ said in NPM package that does nothing accidentally removed, breaks shit AGAIN:
When the major version number is greater than 0, that is "stable".
Counter-example: Discourse 1.x
-
@ben_lubar said in NPM package that does nothing accidentally removed, breaks shit AGAIN:
@LB_ said in NPM package that does nothing accidentally removed, breaks shit AGAIN:
@Grunnen When the major version number is 0, that is "unstable". When the major version number is greater than 0, that is "stable".
I'm not sure what the middle number is for, but the first number changes when you break something on purpose and the last number changes when you break something by accident.
the middle number is for wqhen you add features that don't change either of the other numbers.
-
Fun fact: Go's package manager would never have this problem because non-standard library packages can't have names that don't start with a domain.
Preemptive: They can have names that don't start with a domain in Go, but not in the Go package manager.
-
@ben_lubar go would also not have this issue because not enough people use it for the issue to be discovered
-
@HardwareGeek said in NPM package that does nothing accidentally removed, breaks shit AGAIN:
@LB_ said in NPM package that does nothing accidentally removed, breaks shit AGAIN:
When the major version number is greater than 0, that is "stable".
Counter-example: Discourse 1.x
Additional counter-example: NodeBB 1.x
-
@HardwareGeek said in NPM package that does nothing accidentally removed, breaks shit AGAIN:
@LB_ said in NPM package that does nothing accidentally removed, breaks shit AGAIN:
When the major version number is greater than 0, that is "stable".
Counter-example: Discourse 1.x
That's stable. With lots of in it.
-
@Grunnen said in NPM package that does nothing accidentally removed, breaks shit AGAIN:
I'm not a JS developer, but from reading such news I wonder: why don't they have unstable / stable branches or something like that?
There's no need: everything npm is unstable. It's job protection.
Or a racket, depending on how you look at it.
-
@dkf said in [NPM package that does nothing accidentally removed, breaks shit AGAIN]
That's stable. With lots of in it.
Physics has a term for it: meta- stable. It's sort of stable, unless you start poking it, or just happen to glance into its general direction.
-
@cvi said in NPM package that does nothing accidentally removed, breaks shit AGAIN:
It's sort of stable, unless you start poking it, or just happen to glance into its general direction.
Or even if it just gets a bit bored.
-
I think I traced why its usage is everywhere
First example on this page https://nodejs.org/api/https.html
-
@bb36e said in NPM package that does nothing accidentally removed, breaks shit AGAIN:
@ben_lubar go would also not have this issue because not enough people use it for the issue to be discovered
Crucial Go package removed. Breaks both other Go packages
-
@Hanzo said in NPM package that does nothing accidentally removed, breaks shit AGAIN:
@Grunnen said in NPM package that does nothing accidentally removed, breaks shit AGAIN:
I'm not a JS developer, but from reading such news I wonder: why don't they have unstable / stable branches or something like that?
There's no need: everything npm is unstable. It's job protection.
Or a racket, depending on how you look at it.
Paging @Schol_R_LEA
-
Racket is a full-spectrum programming language. It goes beyond Lisp and Scheme with dialects that support objects, types, laziness, and more.
IT HAS LAZINESS? Sign me up!
-
@Onyx I have a language which lets me say
after idle
meaningfully…
-
-
@Onyx Not usually. The comment character concerned is
#
… :p
-
@aliceif said in NPM package that does nothing accidentally removed, breaks shit AGAIN:
@Hanzo said in NPM package that does nothing accidentally removed, breaks shit AGAIN:
@Grunnen said in NPM package that does nothing accidentally removed, breaks shit AGAIN:
I'm not a JS developer, but from reading such news I wonder: why don't they have unstable / stable branches or something like that?
There's no need: everything npm is unstable. It's job protection.
Or a racket, depending on how you look at it.
Paging @Schol_R_LEA
It's not a real racket if there's no ball-whacking involved
-
@cark given the description, I'm sure you have to bust your balls pretty hard to learn it.
-
@Onyx I'm generally not on the ball with these obscure languages
-
@DogsB It's already been explained why its usage is everywhere. People don't understand that "https" and "fs" are core modules; the example you gave doesn't require npm at all. So I don't think you can blame it per se.
-
@bb36e said in NPM package that does nothing accidentally removed, breaks shit AGAIN:
More detail: the "fs" package is a non-functional package. It simply logs the word "I am fs" and exits. There is no reason it should be included in any modules. However, something like 1000 packages do mistakenly depend on "fs"
For Christ's sake, WHY DO YOU ALLOW NPM MODULE TO SHADOW NODE'S OFFICIAL LIBRARY!?
fun fact: even if you install the package you have to do real shenanigans to require it as require('fs') will always prioritize a core package named fs over a NPM installed package.
OK, that's better. It still shouldn't exist.
-
@cartman82 said in NPM package that does nothing accidentally removed, breaks shit AGAIN:
For Christ's sake, WHY DO YOU ALLOW NPM MODULE TO SHADOW NODE'S OFFICIAL LIBRARY!?
mostly because at the time that package was created it wasn't shadowing node's official library, then it was absorbed into core, then it was changed to print "i am fs" and some packages have never updated their deps (or wrongly installed it) so even though they don't actually use it the package is still needed.
at least if i'm interpreting the timeline right.
is stupid, but at least node handles things sensibly by using core over npm installed packages, so is merely stupid instead of catostrophic
-
This post is deleted!
-
@powerlord said in NPM package that does nothing accidentally removed, breaks shit AGAIN:
@accalia OK, I'm only vaguely aware of what's going on with Node, but why was the main FileSystem package removed in the first place?
it wasn't. it just was not always part of core.
if i have this all straight it went something like this
back in the pre node 0.10 days (and i think even before 0.8) node had no native file system access class. so someone wrote one as a package called fs. fs was awesome, it was magical it was exactly what nodejs needed. so joyent said "YOINK" and slurped it into core. now there was a fs package in core and one in npm that did the same things, and because node prioritizes core packages over npm the npm one does jack shit now. so eventually it's changed to just print a small note. so there's this odd package doing nothing.... then someone says "we shouldn't have that package because no one can use it so it's pointless.....
and that's when the popcorn started.
-
@accalia Yeah, I deleted that post because I realized what the problem was before anyone replied to it.
As a side note, fs never actually worked on Windows because it was a POSIX thing.
-
@accalia said in NPM package that does nothing accidentally removed, breaks shit AGAIN:
"i am fs"
"I am not the package you're looking for."
-
My question would be, what happens with stuff like Nuget if that is part of your build process? I don't think this is something that is unique to NPM.
-
@pydsigner said in NPM package that does nothing accidentally removed, breaks shit AGAIN:
@asdf I for one use multiple dot versions.
We used to have Dots 1.5 on Discourse!
-
@lucas1 said in NPM package that does nothing accidentally removed, breaks shit AGAIN:
My question would be, what happens with stuff like Nuget if that is part of your build process? I don't think this is something that is unique to NPM.
Yeah, I had a package that had its' name get changed (I think it was something to do with UWP apps, the name change was because back then it wasn't called UWP). When NuGet tried to "restore" the package, it couldn't find it in broke the build.