Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
Search - "npm audit"
-
You know what?
Young cocky React devs can suck my old fuckin LAMP and Objective-C balls.
Got a new freelance job and got brought in to triage a React Native iOS/Android app. Lead dev's first comment to me is: "Bro, have you ever used React Native".
To which I had to reply to save my honor publicly, "No, but I have like 8 years with Objective-C and 3 years with Swift, and 3 years with Node, so I maybe I'll still be able help. Sometimes it just helps to have a fresh set of eyes."
"Well, nobody but me can work on this code."
And that, as it turned out was almost true.
After going back and forth with our PM and this dev I finally get his code base.
"Just run "npm install" he says".
Like no fuckin shit junior... lets see if that will actually work.
Node 14... nope whole project dies.
Node 12 LTS... nope whole project dies.
Install all of react native globally because fuck it, try again... still dies.
Node 10 LTS... project installs but still won't run or build complaining about some conflict with React Native libraries and Cocoa pods.
Go back to my PM... "Um, this project won't work on any version of Node newer than about 5 years old... and even if it did it still won't build, and even if it would build it still runs like shit. And even if we fix all of that Apple might still tell us to fuck off because it's React Native.
Spend like a week in npm and node hell just trying to fucking hand install enough dependencies to unfuck this turds project.
All the while the original dev is still trying TO FIX HIS OWN FUCKING CODE while also being a cocky ass the entire time. Now, I can appreciate a cocky dev... I was horrendously cocky in my younger days and have only gotten marginally better with age. But if you're gonna be cocky, you also have to be good at it. And this guy was not.
Lo, we're not done. OG Dev comes down with "Corona Virus"... I put this in quotes because the dude ends up drawing out his "virus" for over 4 months before finally putting us in touch with "another dev team he sometimes uses".
Next, me and my PM get on a MS Teams call with this Indian house. No problems there, I've worked with the Indians before... but... these are guys are not good. They're talking about how they've already built the iOS build... but then I ask them what they did to sort out the ReactNative/Cocoa Pods conflict and they have no idea what I'm talking about.
Why?
Well, one of these suckers sends a link to some repo and I find out why. When he sends the link it exposes his email...
This Indian dude's emails was our-devs-name@gmail.com...
We'd been played.
Company sued the shit out of the OG dev and the Indian company he was selling off his work to.
I rewrote the app in Swift.
So, lets review... the React dev fucked up his own project so bad even he couldn't fix it... had to get a team of Indians to help who also couldn't fix it... was still a dickhead to me when I couldn't fix it... and in the end it was all so broken we had to just do a rewrite.
None of you get npm. None of you get React. None of you get that doing the web the way Mark Zucherberg does it just makes you a choad locked into that ecosystem. None of you can fix your own damn projects when one of the 6,000 dependency developers pushes breaking changes. None of you ever even bother with "npm audit fix" because if security was a concern you'd be using a server side language for fucking server side programming like a grown up.
So, next time a senior dev with 20 years exp. gets brought in to help triage a project that you yourself fucked up... Remember that the new thing you know and think makes you cool? It's not new and it's not cool. It's just JavaScript on the server so you script kiddies never have to learn anything but JavaScript... which makes you inarguably worse programmers.
And, MF, I was literally writing javascript while you were sucking your mommas titties so just chill... this shit ain't new and I've got a dozen of my own Node daemons running right now... difference is?
Mine are still working.34 -
$ npm audit
> found 19 vulnerabilities (10 low, 5 moderate, 3 high, 1 critical)
$ npm audit fix
> fixed 0 of 19 vulnerabilities in 11987 scanned packages
> (use `npm audit fix --force` to install breaking changes; or do it by hand)
$ npm audit fix --force
> npm WARN using --force I sure hope you know what you are doing.
Me too, buddy. Me too.1 -
The fuck did I do wrong?
So I had 11 vulnerabilities 1 high.
I just npm audit fix
Now it’s 44 vulnerabilities14 -
No other language can do something as fucky as javascript.
"7 high severity vulnerabilities"
$> npm audit fix --force
"13 vulnerabilities (11 high, 2 critical)"
How is this fixed?!
It will be a great day when JS finally prolapses under the weight of its own hubris.11 -
`npx create-react-app blah`
`cdls blah && npm audit`
63 vulnerabilities.
good fucking job.
To be fair, they're all minor, but they're all *exactly* the same, caused by the same freaking package. Update your dependencies already!
------
`npm i --save formik && npm audit`
68 vulnerabilities, three of them critical.
ugh.6 -
I should just quit. I am not paid enough to deal with this pissing contest.
Reviewer:
Need to add instructions (on readme) for installing pnmp, or if possible, have the top-level npm i install it (lol).
Also, it looks like we are no longer using lerna? If that's right, let's remove the dependency; its dependencies give some security audit messages at install.
Me:
it's good enough for now. Added a new ticket to resolve package manager confusions. (Migrate to pnpm workspaces)
Reviewer:
I will probably be responsible for automating deployment of this (I deployed the webapp on cloudflare pages and there is no work that needs to be done. "automating deployment" literally means replacing npm with pnpm). I disagree that it's good enough for now.
Imagine all readmes on github document how to install yarn/pnpm.
Lesson learned:
If you think an OOP static site developer can't handle modern JS framework, you are probably right.2 -
npm audit has gone wild since GitHub (aka Microsoft) acquisition, they surely found a way to influence the community.
Now, guys, embrace the creeping evil until deno is really out.5 -
If only NPM' security team (so pretty much NSP's) would inform the package owners as soon as they discover vulnerabilities and give them the standard 30-90 days to fix them and release a new version before going public, instead of straight out publishing the security audits which generates noise on the terminal (obviously when using npm) and on Github
-
Me at 3 front-end tech screenings of candidates with +3y of exp last year: "can you name a few npm commands you have used?"
Candidate:
- "Ehh.. npm start?" (npm start is a shortcut to a user-defined run-script)
- "npm version, it publishes the package" (wrong)
- "not going to pretend I know and sound stupid"
Mind you these candidates were not necessarily bad, but come on? You never used npm info, outdated, audit, install, remove, update, why, link, init?10 -
From the look of https://github.com/yarnpkg/berry/..., Microsoft is not (yet) planning to hug "npm audit" as a great evil plan of asserting dominance to the open source community by raising everything into NatSec level and force shortcut releases.
If that's the case alternatives like yarn and pnpm will be removed from the scene, VS Code will be intentionally made incompatible with Yarn's PNP just like how NPM sneaks https://github.com/npm/arborist/... through, under the name of security.
I am still not convinced, it is Microsoft after all. We'll see.
P.S. I will laugh menacingly if that turns out to be ONLY a stupid dream and a poor decision of one single genius businessman.