to create a fucking form in react, i need to install 199+ packages fuck that.

There’s this archaic language that uses some weird symbols like <form>
Legend has it that that was all was needed! Such fantasies!

I know! Why would anybody use a tag when you can make you app 100x slower! It’s inconceivable! 🤣

To view any HTML5 form you need thousands of packages made by cities' worth of people over the course of 30 years, it's just neatly packaged as a web browser. The NPM ecosystem is terrible but the reason isn't the many thousands of packages that correctly follow separation of concerns.

Get this disgusting scum off my platform. I use HTML, CSS and raw JavaScript.

@kiki and PHP on the backend!

or just this one: https://www.react-hook-form.com/

that one is my go to

@benj js on the backend, duh

@kiki 😅😅

WASM or bust.

If you’re not forced to use react, then code it yourself ¯\_(ツ)_/¯

Imagine doing webdev and not even considering <form>

An empty React project is like 350mb.
That’s nuts.

@Root GCC alone is 150mb. Luckily, dev toolchains are optimized for entirely different targets from the applications themselves.

@lorentz That’s fair, it is the entire toolchain, and most of it isn’t bundled with your built application.

I really don’t get what the problem is. No one complains that a 4K movie is 25GB…

For me is not only the size, is the black hole of unknown that is there. The size of gcc or the size of a 4k movie are not really code that runs without you knowing what is doing. Gcc compiles you program and it one is paranoid it is possible to disassemble it and see what is doing, a 4k movie doesn’t (hopefully) run any arbitrary code. But 100+ npm packages is something that is being used not only to build the app but also delivered with it and thus one takes responsibility of it. With the sheer amount of dependencies and dependencies to dependencies not a lot of people keep an eye of those 200mb of code for a simple react app, and it has bitten us before in the back!

https://theregister.com/2022/02/...

@benj I see, I agree that this is an issue, but the fact is that we need to just live with. I don’t see npm being worse than pypi, CTAN, any C library, heck open source in its entirety.

So I wonder why do people shit on npm that much?

@dder that’s fair. The difference with NPM IMHO is one of obscurity and probably why it’s become a target for malware and it has gotten away with it. With the nodejs ecosystem you have software tuning software running software running software (from react code being processed by jsx to sass processed by some lib in rust to all that output packaged and then minified to finally running in the browser to the browser running in an OS). And it’s quite cumbersome to audit all the layers. Also adding/modifying packages in NPM is trivial.

For a C lib, yes, anybody can pull some random header from GitHub with all kinds of malware, but that’s not usually how they are distributed. Either libraries are compiled statically or they are distributed by things like brew or apt-get or yum, in Linux and other OS package managers, and the barrier of entry there is a lot higher. Heck, I’m aware of devs that don’t use anything that hasn’t been out here for at least 20+ years!

@dder but you are right, is not just npm, malware has been found in pip packages too and the debacle with log4j shows that it’s everywhere. But there are places when one needs to be slightly more aware of what’s going on than others because there are less protections

@mansur85 yeah, why is npm worse then?

@benj I do agree that it’s trivial to publish an npm package. But it is rather hard to get people to use it, ie build a community around it. Once you have a community and maintainers, etc, it gets harder to publish malicious code, because more eyes are watching.

Again, this is ecosystem and language agnostic.
Sure it might be easier for bug to be present if you have a build system of many tools, but that is similar to even auto tools or cmake, make, ninja, …