10

npm is the WORST MISTAKE THAT HAS EVER HAPPEND TO SOFTWARE ENGINEERING. I HATE IT AND I REGRET EVER READING ITS DOCUMENTATION, SO MUCH WAISTE OF TIME ON ABSOLUTE JUNK

Comments
  • 0
    Works on my machine and my 30 or so production node servers /shrug
  • 0
    Long live composer ! Long live php !
  • 0
  • 3
    I, too, hate NPM and what it encourages.

    It's continually buggy, and strongly encourages the mindset that "other people's code is always better."
  • 3
    @Root I once read about some leftpad fiasco months ago, and having to use so many dependencies like a black box is bothersome.
  • 2
    Cmon guys it ain't that bad..
  • 3
    @Hubot-0x58 Someone removed their leftpad package and broke much of the internet. 😅

    Seriously, who couldn't write a leftpad function? That's like a first year CS problem. And what about depending on little packages that will be abandoned at some point?

    You shouldn't write everything yourself, of course: reinventing the steam engine is modestly difficult, but the wheel? bloody trivial. Feel free to "reinvent" it.

    But another issue:

    There are very real security concerns with using other people's packages. If a project is 10% your code, what is the other 90% doing? To illistrate this with a bit of a strawman: I could easily obfuscate code to steal users' data and mask that behavior from developers, and publish it as a useful-looking npm package. I could write it to only steal data in production, on Thursdays, at random intervals, while the dev tools are closed; detecting it would be nearly impossible. Furthermore, the readable released source doesn't have to match the compiled and minified package, either, so examining its repo wouldn't help. If I convince other devs to include this utility package in their packages, the NPM mentality will eventually have my nefarious package included in large, widely-used projects, and silently stealing the data of millions of users.

    Possible? Absolutely.
    Difficult? Less than you'd think.
  • 1
    @Root That's very scary indeed.
    I need to research more into this to minimize the risks, but what are some steps you take besides only using packages you absolutely need?
  • 1
    @Root heh that's like the software version of those Chinese chips 😂😂.

    Scary how fragile the world actually is when you think about how you could break it
  • 1
    @CodeBane Everything can be broken and exploited given enough time and effort. That's why the best security people are ex-criminals/hackers/etc. 😋 They know what to look for, and more importantly: how to think.

    @Hubot-0x58 Honestly, that's about it. Some common sense too: filesizes that sound right, inspecting rendered pages, etc. Also doing a secondary analysis in production since code behavior changes past the boundary. (I'm thorough/paranoid when it comes to bugs and quality testing, so this is my usual anyway)

    The world is a scary place, especially when you blindly trust others and their work.
  • 0
    @Root Thank you! *shudders*
Your Job Suck?
Get a Better Job
Add Comment