Ranter
Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
Comments
-
Root825996yI, too, hate NPM and what it encourages.
It's continually buggy, and strongly encourages the mindset that "other people's code is always better." -
Root825996y@Hubot-0x58 Someone removed their leftpad package and broke much of the internet. 😅
Seriously, who couldn't write a leftpad function? That's like a first year CS problem. And what about depending on little packages that will be abandoned at some point?
You shouldn't write everything yourself, of course: reinventing the steam engine is modestly difficult, but the wheel? bloody trivial. Feel free to "reinvent" it.
But another issue:
There are very real security concerns with using other people's packages. If a project is 10% your code, what is the other 90% doing? To illistrate this with a bit of a strawman: I could easily obfuscate code to steal users' data and mask that behavior from developers, and publish it as a useful-looking npm package. I could write it to only steal data in production, on Thursdays, at random intervals, while the dev tools are closed; detecting it would be nearly impossible. Furthermore, the readable released source doesn't have to match the compiled and minified package, either, so examining its repo wouldn't help. If I convince other devs to include this utility package in their packages, the NPM mentality will eventually have my nefarious package included in large, widely-used projects, and silently stealing the data of millions of users.
Possible? Absolutely.
Difficult? Less than you'd think. -
CodeBane7756y@Root heh that's like the software version of those Chinese chips 😂😂.
Scary how fragile the world actually is when you think about how you could break it -
Root825996y@CodeBane Everything can be broken and exploited given enough time and effort. That's why the best security people are ex-criminals/hackers/etc. 😋 They know what to look for, and more importantly: how to think.
@Hubot-0x58 Honestly, that's about it. Some common sense too: filesizes that sound right, inspecting rendered pages, etc. Also doing a secondary analysis in production since code behavior changes past the boundary. (I'm thorough/paranoid when it comes to bugs and quality testing, so this is my usual anyway)
The world is a scary place, especially when you blindly trust others and their work.
Related Rants
npm is the WORST MISTAKE THAT HAS EVER HAPPEND TO SOFTWARE ENGINEERING. I HATE IT AND I REGRET EVER READING ITS DOCUMENTATION, SO MUCH WAISTE OF TIME ON ABSOLUTE JUNK
rant
npm
javascript