Ranter
Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
Comments
-
vicary4813y@100110111 @vane @molaram @lbfalvy If you believe GitHub takes up a major portion of version control, and package managers (npm, gem, pip, composer ... etc.) takes up much of the application level.
You may already know that supply chain attack is a thing now, and anything starts with CVE may block your CI/CD pipelines.
You may also noticed, otherwise you now knows, some vulnerabilities are simply nonsense. This CVE alone https://nvd.nist.gov/vuln/detail/... has led to huge amounts of build errors in a few days before it can be reverted and disputed.
This culture maybe normal in corporates where they privately fork the hell out of projects solely for licensing issues, because they have the manpower to do operate like that.
Assuming no further resources are assigned towards existing projects to aid upgrades, this is corporates, lead by Microsoft via GitHub and npm, asserting dominance/influence on the community and we are still suffering with no way out yet. -
vicary4813y@lbfalvy Read my previous post https://devrant.com/rants/4838135/..., it is only the tip of an iceberg.
There are twitter posts and blogs that I haven't kept track of, from people who has created a suite of PRs to solve existing bugs and fixing inconsistencies that the author simply refuses to take in. -
@vicary Lodash is a huge overgrown mess and it should have been broken up into at least 5 interdependent packages years ago. Vulnerability trackers don't track subpackage dependencies, that's another problem. If your imports are structured in such a way that nothing, not even tests are referencing _.template directly or indirectly, then you're not vulnerable and the pipeline shouldn't be complaining.
-
vicary4813y@lbfalvy Agreeing that some of the lodash functions should be spin off into standalone projects, they surely looks heavy and odd when compared to other functions in the lib.
There are friendly ways to discuss a function with its author, raising it above what it is and stick a red label on it is definitely not one of them.
In the original issue referenced by the CVE https://github.com/lodash/lodash/... the authors have been clear about the design and intended users, hack, they even have vulnerability reporting channels right at their SECURITY.md
As a contributor in many repos, I deeply feel a lack of respect and it's like I am forced to work on others' term. -
@vicary In my opinion, instability stems from overgrown teams where everyone affects too much, working on overgrown bundles where every function contributes to the apparent stability of the whole. It's not about how big a function is, if it's there as a reason for someone to have a contribution in Lodash, it should not be in Lodash. Generally, unstructured open source (not open sourced corporate projects or those backed by corporate-esque foundations) works best when it's tiny projects, and everyone's extra energy is spent inspecting their dependencies and supporting where needed or dropping those which can't be made to conform to the original package's quality and security guarantees.
-
vicary4813y@lbfalvy 100% the spirit for like 98% of the projects. Scoping it bite-sized spare time works are the way to go, and that's how I hate being forced to work by national security nonsenses. I am willing to learn, but definitely not being pushed around in this manner.
Speaking of that, Deno might be a rare breed. I believe Ryan initially made it just to rant on every single core team members of node.js on stage. Now a proper open source team is forming around it, absolutely amazing. -
vane113043y@vicary I think corporations use fossa and snyk for those things that are actually standards that complement the github workflow.
The open source community isn’t worth a rescue cause they killed and buried basically all the people that established open source movement.
If you talk about open source as a way to develop software I think we see great movement towards openess over last couple of years. It is cause corporate understands that they can’t afford good developers without relying on open source software cause it’s only way developers can learn stuff.
When I reach my short term milestone, I might start dedicating my full-time to one of the following projects:
1. deno
2. brain.js
3. The forking of TypeORM
4. The teardown of Isaac Schlueter
5. Create a full on movement to rescue open source
rant