Guy brings down thousands of npm builds
-
@mikehurley
Yes they are. Such is the life of a contractor
What I am not a fan of in a lot of C# dev most of the code that isn't part of .NET or a third party lib is crap. Just utter crap, written by company men that have worked in the same place since they left uni. It takes 5 minutes to see if a change has worked in these monster monolithic projects.
In JS, there is just the browser. I can iterate quickly and get shit done, no 5 minutes compile / refresh debug crap I have to put up with in the projects I use.
-
@lucas1 Fair enough. Although I wouldn't call that "exciting" but rather "useful".
-
@Vaire said:
@Choonster I mean ... OK, sure? But we are skating on the edge of what the actual definition of closed source is. And every enterprise setup I have worked for that wanted everything closed source, wanted everything developed in-house as well, and audited the code to ensure compliance with that so ... yeaaaah ..... o_O
GitHub Desktop, Minecraft and Blizzard's Battle.net launcher all use open source libraries, yet none have visible source code. I'd consider them all to be closed source.
I acknowledge that a lot business/enterprise software is probably all internally developed without any open source libraries (I don't have any experience with it myself), but that's not the only type of closed source software.
-
@Choonster said:
@Vaire said:
@Choonster I mean ... OK, sure? But we are skating on the edge of what the actual definition of closed source is. And every enterprise setup I have worked for that wanted everything closed source, wanted everything developed in-house as well, and audited the code to ensure compliance with that so ... yeaaaah ..... o_O
GitHub Desktop, Minecraft and Blizzard's Battle.net launcher all use open source libraries, yet none have visible source code. I'd consider them all to be closed source.
I acknowledge that a lot business/enterprise software is probably all internally developed without any open source libraries (I don't have any experience with it myself), but that's not the only type of closed source software.
Fair enough, can't say that you are wrong. But when I hear "closed source" I think CLOSED source, as in, wall-o-impenetrability =_=
-
If any of you feel stranded without the left-pad library, your solution is here!
-
@Vaire I think your standards are a bit low.
But if that's what you're into, I can write insightful thoughts on programming languages all night long, baby.
-
this is an opportunity for someone to get incredibly popular in the node world creating the new padleft function that will be adopted by all these projects that will need a replacement
I'm considering to avoid competing for the new padleft and start writing a padright function, in case the padright library ever does the same, I'll have mine ready.
-
@fbmac You can probably get some VC funding for that.
Filed under: things that sound like jokes but are not
-
@fbmac Just like the isfalse "library", we should try and put up an "istrue" alternative and some other binary stupid "libraries".
-
@Vaire said:
@The_Quiet_One You're not wrong ... but I maintain that any CSS project done that way is slapping the shit out of the definition of what it means to be "CLOSED" source.
It's a fact of life that companies go out of business, and when they do, you're just as SOL.
-
-
-
GitHub - jackdclark/five: Gives you five
Gives you five. Contribute to jackdclark/five development by creating an account on GitHub.
-
@ben_lubar 22 proposed PRs! TWENTY TWO.
-
-
@ben_lubar Let's do a variation for "7". I like 7.
-
@cartman82 said:
Wow, this is now sort of turning into an avalanche against npm and node ecosystem. Similar to what happened when they discovered the initial security leak in openssh. Suddenly a lot outsiders start looking very closely at something they used to take for granted, and lo and behold, everything is crap under the surface and aren't we all horrified and someone please think of the children.
A lot of these outcries sound like conservative "in my time, we had to walk 10 miles" kind of arguments. I mean, why shouldn't we require individual functions instead of dragging the entire library along, 90% of which we don't need? Just because we had always used libraries before and that's how it's supposed to be, damnit?
On the other hand, if library follows that same methodology, that creates those deep dependency trees of tiny modules, all these NET guys are now making fun of (finally a chance to feel relevant!).
Personally, I'm still undecided. I wouldn't dismiss the idea of micro-modules out of hand, but those dependency graphs do look ugly. Maybe there's some middle ground there.
I'm not sure what micromodules gets you, really. I don't know about you but when I do a bunch of math I tend to need more than one function at a time. If I need sqrt I probably need log and exp. If I need padLeft, I'm going to need padRight when someone decides to change the justification on something or whatever. What exactly do I gain by only importing one? Sure, it makes my 'code footprint smaller' or whatever but it also means you need to change your project dependencies to change the justification on a report. If you also use something that uses padLeft and they've fixed their padLeft version to v3, but you're using v4 so you can pad with repeated strings, now you have two different versions of padLeft.
Combine worrying about malicious package maintainers because there are thousands of maintainers, they can't all be perfect. Combine worrying about maintaining up-to-date packages because of vulnerabilities.
I mean, 'require string' is boring but it's less work for me, less work for the package manager, and much less fucking stupid.
-
So, I noticed that this topic was mentioned in the comments to an Ars Technica article on this subject. I wonder if we'll get any new people from that.
-
@Vaire So then, how's the market for COBOL doing these days? 'Cos aside from that, there's fuckall in the industry that has ever fit that description. Even C and Ada are goddamn moving targets, and they are rock fucking solid compared to anything used in web development.
There are times I think we have to be nuts to put as much trust in this crap as we do, until I remember how things were before we had it. That doesn't mean it is any less crazy, it just means it is desperate, too.
-
@cartman82 openssh is useful
-
@powerlord said:
So, I noticed that this topic was mentioned in the comments to an Ars Technica article on this subject. I wonder if we'll get any new people from that.
I know that there's someone from ars who loves Discourse ...
-
@powerlord
Wondering if @Lee_Ars made it to the new forumdammit
I shouldn't have let that post sit so long
-
@aliceif "I write about technology and stuff?" It's bullshit like this why I can't take tech writers seriously. Pick a specialty and get good at it. There's something about ars writers that screams tabloid hack to me.
Well that's one rant down.
-
Not saying this is not stupid but it can also happen in other environments. For example, there's this 3rd party lib which is a dependency for Spring (antlc or something like that) that if it gets removed all hell would break loose.
Again, JavaScript needs some sort of ASF behind it.
-
@DogsB I remember a college professor being very angry here when a local newspaper interviewed him, and published an article claiming completely wrong things to his name, because they didn't understand shit from what he said.
-
@fbmac said:
they didn't understand shit
That seems to be normal for anything involving journalists where I know the details, so I assume it is normal for others too.
-
@fbmac said:
I remember a college professor being very angry here when a local newspaper interviewed him, and published an article claiming completely wrong things to his name, because they didn't understand shit from what he said.
That's because the media doesn't publish what is right, but what will sell
-
@RaceProUK he showed the article, they were really confuses, the gross errors didn't add to impact or anything.
They tried to translate the explanation to layman terms, and wrote plain wrong stuff, attributing to him. Probably damaging his reputation with others that understand the subject.
-
http://threepanel.com/media/upload/user_classam/senor-lamp-219.png
Of course, the company isn't really in the wrong here. They must defend their trademark, or they'll lose it.
-
Another writeup:
NPM & left-pad: Have We Forgotten How To Program?
Intro Okay developers, time to have a serious talk. As you are probably already aware, this week React, Babel, and a bunch of other high-profile packages on NPM broke. The reason they broke is rather …
There’s a package called isArray that has 880,000 downloads a day, and 18 million downloads in February of 2016. It has 72 dependent NPM packages. Here’s its entire 1 line of code:
return toString.call(arr) == '[object Array]';
There’s a package called is-positive-integer (GitHub) that is 4 lines long and as of yesterday required 3 dependencies to use. The author has since refactored it to require 0 dependencies, but I have to wonder why it wasn’t that way in the first place.
A fresh install of the Babel package includes 41,000 files
A blank jspm/npm-based app template now starts with 28,000+ filesThe comments are good too:
“You wanted to buy a CPU from us? That’s not how we do business. We found it was much quicker to push out features to you if we went for a more lego block approach. Instead of a CPU you get to choose a combination of any of our 1,000 micro components. Each one is on a different release cycle to ensure velocity and it’s up to you to ensure the versions you are using are compatible. Oh. We also found is was better to outsource our 1,000 components to 100 different short-term contractors across the world. The contract terms? Yeah. We let our contractors terminate the relationship at any time and we don’t ensure any sort of QA. They’re all great teams, don’t worry about it! Also, none of these teams are expected to know what the other teams are working on or what changes they are developing. We feel that organizing at that level slows down innovation. Almost forgot! You also get to solder everything together yourself and how you see fit — we supply you the soldering board and the solder at no additional charge!”
-
@dkf said:
That seems to be normal for anything involving journalists where I know the details, so I assume it is normal for others too.
I'd say they're probably good at journalism, but then I remember the New York Times writer who just made shit up and nobody noticed for years, so nevermind.
-
@JazzyJosh Did you see the replies the maintainer of "PadLeft" made to this company? He was an UTTER dick.
Some quotes from the author of the open source Kik:
hahah, you’re actually being a dick. so, fuck you. don’t e-mail me back.
Yeah, you can buy it for $30.000 for the hassle of giving up with my pet project for bunch of corporate dicks
(And of course, the real issue here is how delicate the NPM house of cards is; it doesn't matter why the packages were pulled, the problem is that pulling them caused all kinds of shit elsewhere to fail.)
-
@ScholRLEA said:
@Vaire So then, how's the market for COBOL doing these days? 'Cos aside from that, there's fuckall in the industry that has ever fit that description. Even C and Ada are goddamn moving targets, and they are rock fucking solid compared to anything used in web development.
There are times I think we have to be nuts to put as much trust in this crap as we do, until I remember how things were before we had it. That doesn't mean it is any less crazy, it just means it is desperate, too.
I know you weren't being serious, but weirdly, the COBOL market is actually high in demand right now. Lots of OLD-ass code running on emulators keeping banks and stock markets creaking along, my friend o_O
But, I maintain that I will prefer CSS like C# to JS and the "micro economy" they've developed for themselves, any day. :P
-
@JazzyJosh Additionally, they're right - they wanted to push a module of their own onto NPM and the name of the FOSS zealot's module would have caused confusion.
Which is exactly what this whole trademark thing is about.
-
@Rhywden Moreover, NPM does have a "don't be a dick" clause in the user agreement (seriously; the guy from Kik points it out), and the maintainer was CLEARLY being a dick. That alone should have been cause for him to lose his packages.
-
@blakeyrat said:
@Rhywden Moreover, NPM does have a "don't be a dick" clause in the user agreement (seriously; the guy from Kik points it out), and the maintainer was CLEARLY being a dick. That alone should have been cause for him to lose his packages.
I don't quite understand why they're not doing it like countless other public repositories in the first place (nuget comes to mind, just one example):
You have the right to pull a particular library/module/addon/whatever version for security reasons (insecure/erases your harddisc/brings about Ragnarök) but you cannot remove your whole repo. If you later decide to move on, your stuff will still be there with all its versions.
-
@Rhywden That's the least part of the problem. The real problem is why was one project, much less HUNDREDS or THOUSANDS, built atop useless code maintained by this utter jackass? Code it would have been faster to rewrite than even search for?
Why is NPM or Node.JS, which is are organizations with budgets and lawyers, not creating their own standard libraries to do shit like PadLeft? Why the FUCK was any of this necessary in the first place?
Why would "professional" software developers pick an environment that only had one implementation of string.PadLeft and it was made by a jackass? Did they do ZERO due diligence? Somehow less than zero?
-
@blakeyrat From what I read, it wasn't a direct dependency for most people - it was an indirect one.
For instance, the module Babel made use of this - it's a module which transforms ES2015/2016 code down into legacy javascript so any browser can make sense of stuff.
So, you add Babel as a dependency which in turn uses padleft.
-
-
@Rhywden said:
@blakeyrat From what I read, it wasn't a direct dependency for most people - it was an indirect one.
If you're shipping the product, you're responsible for all the code that ships with the product. So that really doesn't matter. The instant my company chose WebAPI2 for our REST API, WebAPI2 became part of our product.
The problem is people are shipping code they obviously didn't in any way vet first.
-
@Vaire Fair enough. Everyone here knows that my preference among current web tools is totally looney, so it isn't like I have any grounds to argue the point.
-
@ScholRLEA Not everyone knows it is crazy. Some of us just hadn't heard of it before. :)
-
@OffByOne Call me
isfemale ()?
-
@ScholRLEA Tell me I'm pretty
-
@ScholRLEA Call me
FILE_NOT_FOUND? Is that what kids listen to these days?
-
@ScholRLEA whale got your dick?
-
I think is was well said by Yahtzee:
https://www.youtube.com/watch?v=F8APwHQUHwY
ONEBOX, BITCH! DO YOU UNDERSTAND IT?
Apparently oneboxing Does Not Play Well with setting a starting time. The part I wanted is at 0:34.
-
@Vaire said:
CSS like C#
C# is a programming language. And OSS implementations for it have existed for a while already.
-
-
Why is NPM or Node.JS, which is are organizations with budgets and lawyers, not creating their own standard libraries to do shit like PadLeft? Why the FUCK was any of this necessary in the first place?
Because a lot of libraries have to work both in the Browser and Node.js and having a set of standard libraries that change the wrong stuff may break someone else's library and this will cause more WTFs not less.
Also the whole point of stuff like node is that it is minimalist and not opinionated and lets you do what you want.
It's fine to prefer the "batteries" included approach of .NET 4.6 and before. A lot of people don't like that and that is fine as well.
I suspect that the NPM directory will become append only to fix the problem. Or they could have a separate set of packages that is produced by them which are a recommended import.
Lee_Ars
