@IntrusionCM go to any social platform and scroll down one single screen, you'll see an Ad that you'll never care but you have to see it. Now look at those npm audit warnings, feels familiar? It's some kind of funneling.

If you're starting to worry they're gonna somehow monetize this once the funneling is established, let me tell you one more thing.

Right before the Microsoft acquisition, npm launched the "npm fund" feature. Isaac's intention is always so clear, lack of sugarcoating and yet so poorly executed.

@vintprox oh sorry for not getting what you meant, I was so infuriated... this guy really brings so much trouble to the world.

Hack, look at all his bios, GitHub, Twitter, he is full of himself.

@vintprox Maybe try to understand people?

I was using npm and this commit is the last straw to make me actually start moving away from everything related to him. The hate started from the comma first colon BS from last decade.

Now if you would, pardon me and define what do you mean by troll.

if we have a conversation starter medal for the op

@lbfalvy 100% the spirit for like 98% of the projects. Scoping it bite-sized spare time works are the way to go, and that's how I hate being forced to work by national security nonsenses. I am willing to learn, but definitely not being pushed around in this manner.

Speaking of that, Deno might be a rare breed. I believe Ryan initially made it just to rant on every single core team members of node.js on stage. Now a proper open source team is forming around it, absolutely amazing.

@lbfalvy Agreeing that some of the lodash functions should be spin off into standalone projects, they surely looks heavy and odd when compared to other functions in the lib.

There are friendly ways to discuss a function with its author, raising it above what it is and stick a red label on it is definitely not one of them.

In the original issue referenced by the CVE https://github.com/lodash/lodash/... the authors have been clear about the design and intended users, hack, they even have vulnerability reporting channels right at their SECURITY.md

As a contributor in many repos, I deeply feel a lack of respect and it's like I am forced to work on others' term.

@molaram

hey thanks bro

vicary
head of ranting
tryhard inc

@lbfalvy Read my previous post https://devrant.com/rants/4838135/..., it is only the tip of an iceberg.

There are twitter posts and blogs that I haven't kept track of, from people who has created a suite of PRs to solve existing bugs and fixing inconsistencies that the author simply refuses to take in.

@100110111 @vane @molaram @lbfalvy If you believe GitHub takes up a major portion of version control, and package managers (npm, gem, pip, composer ... etc.) takes up much of the application level.

You may already know that supply chain attack is a thing now, and anything starts with CVE may block your CI/CD pipelines.

You may also noticed, otherwise you now knows, some vulnerabilities are simply nonsense. This CVE alone https://nvd.nist.gov/vuln/detail/... has led to huge amounts of build errors in a few days before it can be reverted and disputed.

This culture maybe normal in corporates where they privately fork the hell out of projects solely for licensing issues, because they have the manpower to do operate like that.

Assuming no further resources are assigned towards existing projects to aid upgrades, this is corporates, lead by Microsoft via GitHub and npm, asserting dominance/influence on the community and we are still suffering with no way out yet.

@Voxera I guess not talking more members is essentially blackmailing. Not pretty.

Should I be prepared for it every time? I honestly don't want to, because I've seen better.

That's said, if I am being paid full time to work on this, I will seriously consider leaving my startup to my partners. So the incentive is understandable.

@nitnip read the issue https://github.com/typeorm/typeorm/.... The only author stops handling issues, stop taking PRs because it was too much and he wants to be paid as a full time job. While other projects takes in more members to collaborate, this guy wants money only for himself.

@Voxera TypeORM is licensed MIT https://github.com/typeorm/typeorm/..., I guess it is good to fork.

My example of Sequel Ace is a successor of Sequel Pro, which is also MIT https://github.com/sequelpro/.... The original project is years off of maintenance, Sequel Ace is now an active project that listed on macOS App Store.

I think there is nothing stopping a few passionates from forking and rebrand.

@ars1 It's an inevitable convergence because the dominant client env is the web, thus js. server side is kinda forced.

Following this direction, the next small thing must be Deno since it sticks better with the web api.

The next big thing should be WASM so you may start moving away from js/ts, but this is counting in decades.

squash. Also, make husky squash.

You sure the guy's name doesn't end in Webpack or something?

@c3r38r170 bonus point is to absolutely kills in at least one of the metrics. e.g. the concurrency of actix web

@c3r38r170 ngl main thing is getting enough brain juice to actually pick through deno.land/x.

A few example check marks for a library to be picked into my production stack:

1. Battle tested
2. Large and active user base
3. Responsible contributors
4. Comfortable API
5. Serverless friendly
6. Multithread/clustering awareness by design

@IntrusionCM yarn workspace and pnpm?

Packaging an invalid usage as security thread sounds like a convenient shortcut to force anything without major upgrades.

More context and the link to CVE: https://github.com/npm/cli/...

And here is an example of why do I think npm audit is stupid: https://github.com/lodash/lodash/...

Isn't understanding what they're doing a basic requirement before launch?

Preventing preinstall scripts exploits by removing a feature, brilliant move. Might as well chop off frontal lobes to prevent dumb moves.

Progress: Deep Q Learning and Multi-arm bandits approach pretty much removes 90% of the training data.

But still, a real geth needs to imagine[1] if a new theory[2] works before putting it into real life decisions.

I am currently thinking of a more flexible approach that generations are not strictly defined, surviving actors will breed new actors randomly within the same episode if other actors had reached a terminal state before them.

Such training may not be easily defined with N iterations/episodes, but instead ends with specified training time or target fitness score.
---
[1] Sample training data
[2] Layer definitions

So it turns out I am assigning myself the only role that requires these rebases. I am the one who does all the low-level refactoring, CI definitions, shared utils and common codes.

@ScriptCoded You can keep all the faith in humanity, just let me air it out.

@ScriptCoded I don't waste my time in huge projects because pushing through a change means lots of credibility build up and also work my way up to get the "contributor" tag to even have people replying.

People is people. Nash equilibrium forces me to pay as much effort as every other one of them to make a change as trivial as this one.

If I have to choose I'd rather make PRs to esbuild than webpack.

And this is where the niche of devrant comes in, when you don't want to waste your life to make a real change you can only rant.

@ScriptCoded to be very honest, this kind of literal replacements are not even build time macro magics, things are still happening in runtime.

When I look at expressions like `if ("production" === "production")` in output bundles I just can't help myself but getting depressed on what the modern internet is running itself upon.

@ScriptCoded we assert required env vars from middlewares, which reads keys from JSON config files, just a sane test and nothing magic.

webpack should be able to add these as global constant object literals, it just needs change the way they process DefinePlugins, before TerserPlugin takes place.

So in theory this is trivial, of cause this may be a breaking change of people invented things replied on the current behavior, but still trivial.

For the leaking keys problem, when you literally have to write DefinePlugins for NODE_ENV, or just EnvironmentPlugin to do that for each variable you want to appear in the bundle, I don't think there are rooms for surprises buried in the existing mechanism of webpack config, except carelessness of cause.

I don't know how does it translate to exposing the whole env, I just assume generating global object literals constructed from DefinePlugins is easier than string.replace.

Solution: Use configOverwrite in fork-ts-checker-webpack-plugin to exclude that crap from type checking, so you can still share the same tsconfig.json without excluding it from the IDE.

@RememberMe "No data."

Project ARIA, Google had that exact same name as an axed project of modular mobile phone.

Sounds like every other corporate, don't even think of fixing it. No one wants to risk if anything breaks.

This is the (insert random number) times I've been pitched this way, if you can convince me, you can convince the investors.

Put the money on the table, then we'll talk.