Guy brings down thousands of npm builds



  • @RaceProUK said:

    Of course, there's one user here who'll use this as an excuse to hate on OSS, even though this has nothing at all to do with the fact that this is OSS; the same could so easily happen with closed-source.

    You do realize that .net is open source, right? http://referencesource.microsoft.com/#mscorlib/system/string.cs



  • @Hanzo I did NPM just monday. I should go back and let you know how many .js files our node_modules folder is, it's well in the hundreds of thousands.

    That doesn't mean hundreds of thousands of "libraries" like the padleft one above, but... it ain't TOO far off.

    And it's a bog-standard Angular site.



  • @WPT said:

    But... but... isn't simple task like numerical checking and string padding trivial that anyone could have just wrote functions for them without having to link to another dependency?

    Demonstrably not. Go back and read the OP again.



  • @blakeyrat

    UMM, NuGet?



  • @anonymous234 said:

    Does Javascript even have any built-in libraries, like at all? I don't blame the developers for not wanting to rewrite the essential stuff every single time.

    It has a woefully incomplete date library, and a somewhat incomplete math library.

    And while I also don't blame the developers for wanting complete, quality, libraries, maybe-- and here's just a thought-- maybe put ALL the string functions in a single library managed by the Node.JS organization itself? It makes their product better, and also immune to asshattery like described in the OP. I could also ask, "why the fuck wasn't this done years ago?" but answering that would just remind everybody that open source is lazy developers who just do not give a fuck writing lazy software. And I guess RaceProUck doesn't want me to do that.



  • @thegoryone said:

    WHAT?

    It's JavaScript. You should read the ECMA spec sometime; it's actually really short and readable.


  • FoxDev

    @blakeyrat said:

    You do realize that .net is open source, right?

    Who said I meant you? :P

    To be fair though, you do have a history of criticising open source for things closed source is also guilty of



  • @Yamikuronue Next he'll say that if you just read NPM's manual, or learned more about how it's implemented, that would have magically made this padleft library disappear and appear in your own code base, delivered by fairy wizards overnight.


  • FoxDev

    @blakeyrat said:

    And I guess RaceProUck doesn't want me to do that.

    Couldn't care less, tbh


  • FoxDev

    @RaceProUK said:

    @cartman82 And the best thing about lodash

    you know the worst thing about lodash?

    it canonically is used via

    const _ = require('lodash');
    

    do you know what else _ is standardly used for? Function parameters where you need a parameter to match the spec but don't actually care what the parameter is.

    .... actually if that's the worst thing i can say about the library it must be fecking awesome.


  • FoxDev

    @accalia Eh, that's just shit convention; it's just as easy to say

    const lodash = require('lodash');
    

    Which, tbh, is the way I'd do it



  • @lucas1 said:

    UMM, NuGet?

    reply

    UMMMMMMMMMM

    Yeah you're right, Nuget is far inferior. It doesn't even have a PadLeft library: https://www.nuget.org/packages?q=padleft

    I like how the reply button grabbed the word "reply" in addition to the post. Good touch there.



  • @RaceProUK said:

    To be fair though, you do have a history of criticising open source for things closed source is also guilty of

    Because if an open source product did it wrong, obviously all closed source products do it right. It's like a see-saw. One goes up, the other goes down.

    It's impossible that BOTH the open source and closed source products make the same mistake. That's crazy-talk. That's not how reality works!

    Look, I know that when you're on a forum on the web you're gonna get all kinds of users, but it'd be nice to talk to people who don't have the cognitive skills of 3-year-olds. Stop and think before typing.



  • @accalia yeah, learned that the hard way :/


  • Garbage Person

    @cartman82 said:

    People... Just make a fucking tools library for your project, ok? You don't need to drag in silly simple stuff like this as dependencies.

    WtfFramework has a Utility library. I have been told by senior management that this is not acceptable practice and to use third party libraries instead.

    Because there are totally third party libraries that interface with our proprietary internal systems.

    It also contains one extension to IEnumerable to monkeypatch in functionality that generic collections provide), a few extensions to object for serialization, and a few string extensions for deserialization. All of which are totally things that exist in the third party!

    Idiots.


  • FoxDev

    @blakeyrat said:

    It's impossible that BOTH the open source and closed source products make the same mistake.

    Funny; I said exactly the opposite


  • kills Dumbledore

    @Weng said:

    WtfFramework has a Utility library. I have been told by senior management that this is not acceptable practice and to use third party libraries instead

    Rename it to thirdPartyUtilities. Job done



  • Javascript used to be wtf, but now it has improved a lot.


  • Discourse touched me in a no-no place

    @Yamikuronue said:

    101 excels in making one-liners into 15 line external dependencies.

    I preemptively declare this bro to have won OMGWTFBBQ3, or whatever the next one is.



  • @Yamikuronue said:

    101 excels

    I can barely handle one!

    Operator-as-nameable-function or naming one-liners in general is not a terrible idea, as it can make some code using higher-order functions easier to read. Especially that long form lambdas in JS get really really noisy, and the short form is a relatively recent invention.

    It is fairly silly to make a module per function, though. Not sure why that would be a selling point.



  • And fuck me, y'all complain about PHP. We have a (shitty) package manager but pretty much any PHP dev can master if ($x > 0) and we have sane string padding built in. And our packages are usually less fucktarded.

    Who's TRWTF NOW HUH?!?!?!?!

    We didn't even overload + to mean add or concatenate!


  • FoxDev

    @Arantor said:

    fuck me

    If it's all the same to you, I'd rather not; @accalia might get jealous…



  • @RaceProUK That joke is just as lame on NodeBB as it was on Discourse.



  • @Arantor

    You do know there is no such thing as an integer in JS.

    A lot of people are conflating the mentality of the node community which is lots of small lego pieces to build everything and some libraries which are a bit shitty.

    I personally use a lot of polyfills for the browser and I rarely use node. These (polyfills) are straight from MDN but they are in my personal bitbucket and I have a script that downloads them when I start a new project using gulp or grunt. It works for me.

    The real issue is that a project can't really rely on a build process that is pulling in third party dependencies, no matter what the language or package manager. I would argue that companies should run their own versions of NPM repos.

    Also the NPM community is already trying to solve it:


  • I survived the hour long Uno hand

    @lucas1 said:

    companies should run their own versions of NPM repos.

    They do: NPM Enterprise (or whatever it's called now).


  • FoxDev



  • Oh cool, I didn't know that exists.

    A lot companies probably should be paying for it, if they want that level of stability.


  • I survived the hour long Uno hand

    @lucas1 Yeah, my workplace bought it, but hasn't got the servers set up yet. So we have the worst of both worlds right now.



  • @Yamikuronue

    We had the same problem with NuGet and Bower and we set something up which was essentially hosted in the company. It took months of fucking around, but it worked fine once sorted.



  • @Yamikuronue I talked to my front-end lead at work today and he has some homebrew thing he made to keep track, but he's going to push for getting an actual product.

    I was like: if you can talk our "dev ops" person into maintaining the damned thing so it doesn't waste developer time, go for it.

    Apparently setting up NPM to work with a non-public server is a pain in the ass, requiring configuration in files that can't be simply checked-in to the product's repo. Going by what he says. Oh well.

    He also agreed with me that if Node.JS "foundation" is going to be responsible for all this shit, they should get the goddamned BASICS in their OWN libraries, and leave the "random shitty open source" developed libraries for stuff a bit less common than "PadLeft".



  • @blakeyrat

    Why should a machine config be in a code repo?

    Nothing that is machine specific should be in the repo if at all possible.



  • @lucas1 said:

    Why should a machine config be in a code repo?

    Why should a trolling douchebag be on this forum? That's a real puzzler.



  • @blakeyrat

    Saying someone is "Trolling" has become a way to shutdown the conversation.

    I asked you a question, nothing more or less and you are acting like a fucking asshat.

    I asked you why the machine configuration should be put into source control. This is not trolling it is a fucking question as to why you would put it in there as it is commonly accepted you shouldn't do that.

    EDIT: If you don't want people asking you why you are doing something, you are in the wrong profession.


  • ♿ (Parody)

    @blakeyrat said:

    Apparently setting up NPM to work with a non-public server is a pain in the ass, requiring configuration in files that can't be simply checked-in to the product's repo.

    Seems like you ought to be able to just keep your dependencies in your main repository. But honestly, I don't really work in this arena, so maybe the dependencies are a lot more fluid.

    I mean...I have several hundred megabytes worth of jar files in my repo. They change occasionally, so it's not a big deal. Likewise, I have a couple of external javascript libraries.

    Maybe we're just too enterprise and not enough hipster.



  • @boomzilla

    He doesn't want an answer or anything that resembles it. He wants to bitch and people to agree with him.


  • ♿ (Parody)

    @lucas1 said:

    He wants to bitch and people to agree with him.

    Me too! 🍹



  • @blakeyrat said:

    @lucas1 said:

    Why should a machine config be in a code repo?

    Why should a trolling douchebag be on this forum? That's a real puzzler.

    lol



  • @boomzilla But you are more amusing.



  • @Onyx said:

    @cartman82 A library, but more hipster? 🎣

    Ah, then they must have decided that Modula-2 was old enough to be hijacked for hipster terminology, I take it.



  • @anonymous234 What took you so long to reach that conclusion? I knew JS was crap before it was cool to think it was crapPHP came out, and that was in, like, 1996.

    But since the alternatives were VBScript (which only ran client-side if you were running Exploder), ActiveHex (which only ran client-side on Windows clients), and Java crapplets (which 9 times out of 10 didn't run at all), we all just swallowed it as the least horrible of the choices available.

    Don't get me wrong, there's a decent language inside it somewhere, sort of, but from the start it was more "let's try this and see if it works" than any real design. The ECMA folks tried their best, but Netscape had created a monster and then kept tweaking with it without informing the standards committee, then Microsoft got into the act with ASP for JavaScript and the whole thing just became a huge crapsack.

    The only real nice thing about it was the one thing everyone is down on now, in fact - using closures and prototyping as the object system, which originally was just a hack to keep the language simple but actually was pretty nice for the time as it meant you didn't need a huge hierarchic infrastructure just to validate a phone number input box. The idea that it would ever be used for much more than that wasn't even on anyone's minds.



  • @boomzilla Our back-end grabs them from Nuget and shoves them in the repo. It's the front-end where that's impractical because instead of a dozen DLLs, it's 40,000,000 tiny text files.



  • @cartman82
    Yeah. In the meanwhile PHP has the best dependencies manager nowadays.
    Composer just works™. Which goes a long way to show how shitty are the others


  • Discourse touched me in a no-no place

    @boomzilla said:

    Seems like you ought to be able to just keep your dependencies in your main repository.

    Or have a specialised repository for released versioned software that can be shared across many projects, and which is designed so that you can have instances locally that can delegate to global instances for code that is unknown. The only issue is that it potentially leaks package names from your internal systems, but given the modern habit of using names like jefferson-fruitbat nobody really learns anything from that.



  • Woohoo, I caught one!
    /me reels in a @xaade



  • https://twitter.com/ThePracticalDev/status/712782892762587137
    Let me search for this.

    Okay... Somebody really needs to rationalize the existence of such "libraries"



  • @WPT said:

    Okay... Somebody really needs to rationalize the existence of such "libraries"

    All people know is how to piece shitty libraries together. So the tools they get let'em do just that.



  • @WPT

    Wow, this is now sort of turning into an avalanche against npm and node ecosystem. Similar to what happened when they discovered the initial security leak in openssh. Suddenly a lot outsiders start looking very closely at something they used to take for granted, and lo and behold, everything is crap under the surface and aren't we all horrified and someone please think of the children.

    Here's the actual article behind the tweet.

    TLDR: the author is strongly against this trend of "micro-libraries", consisting of just one simple function.

    A lot of these outcries sound like conservative "in my time, we had to walk 10 miles" kind of arguments. I mean, why shouldn't we require individual functions instead of dragging the entire library along, 90% of which we don't need? Just because we had always used libraries before and that's how it's supposed to be, damnit?

    On the other hand, if library follows that same methodology, that creates those deep dependency trees of tiny modules, all these NET guys are now making fun of (finally a chance to feel relevant!).

    Personally, I'm still undecided. I wouldn't dismiss the idea of micro-modules out of hand, but those dependency graphs do look ugly. Maybe there's some middle ground there.

    Someone should do a real study and benchmark this shit. Articles like this are amusing, but not very helpful.


  • ♿ (Parody)

    @dkf said:

    shared across many projects

    I guess that makes sense. But not a problem I have.



  • @ScholRLEA

    People keep saying JS is crap, but it is the one of the few languages I enjoy programming in. The others are Python, PHP and Closure.

    I do a lot of C# and tbh it is probably one of the best languages out there but it is soo boring to program.



  • @cartman82 I mean I am fine with tiny modules that actually mean something. But with a whole lot of boiler-plate "one-liners" that actually do stupid things such as these. https://github.com/ooxi/false/blob/master/false.js

    This needs to be regulated.


Log in to reply