|
Bongo Bill posted:We notice things that don't work; we don't notice things that do. sure but the whole ~web ecosystem~ seems to have a lot more horrifying stuff in it than other places
|
# ? May 29, 2018 22:59 |
|
|
# ? May 25, 2024 09:20 |
|
Bongo Bill posted:We notice things that don't work; we don't notice things that do. anything that works is perfect. therefore I am perfect * * occactionally ** ** lol
|
# ? May 29, 2018 23:25 |
|
Thermopyle posted:transpiling is the very smallest of JS frontend sins What is the biggest sin?
|
# ? May 30, 2018 00:06 |
|
MrMoo posted:Web developers like to repeat history like everyone else. See: PHP and PHP template engines, PHP is already a template engine. Thia actually makes sense, though, since template systems automatically prevent page injection attacks and also prevent your dumbass team members from querying the database in the middle of a bunch of markup
|
# ? May 30, 2018 00:09 |
|
Athas posted:What is the biggest sin? Javascript
|
# ? May 30, 2018 00:09 |
|
Athas posted:What is the biggest sin? John 4:18: quote:I'm a teapot
|
# ? May 30, 2018 00:19 |
|
The Fool posted:Javascript Not empty quoting. (I don't actually know the answer to the question, but there's lots of house of cards)
|
# ? May 30, 2018 00:19 |
|
rt4 posted:Thia actually makes sense, though, since template systems automatically prevent page injection attacks and also prevent your dumbass team members from querying the database in the middle of a bunch of markup So you modify the VM to do that for you, a PHP docker or whatever. You could run a second FCGI PHP instance with all the modules disabled and then you have no DB access.
|
# ? May 30, 2018 00:38 |
|
MrMoo posted:So you modify the VM to do that for you, a PHP docker or whatever. You could run a second FCGI PHP instance with all the modules disabled and then you have no DB access. This is even more stupid than using PHP to begin with
|
# ? May 30, 2018 00:46 |
|
xtal posted:This is even more stupid than using PHP to begin with This: https://www.theregister.co.uk/2008/04/17/oklahoma_corrections_site_data_exposed/ You can code in COBOL, Javascript, lisp, perl, bash and PHP all in one site, but don't, for the love of all that's holy, create, and execute SQL queries from the client.
|
# ? May 30, 2018 01:05 |
|
I don't understand the complaints about transpiling and can only assume the complainers haven't really worked much with JavaScript and don't fully understand how or why it's done.
|
# ? May 30, 2018 04:08 |
|
Transposing is good because it allows having a semblance of a real language. Everything else is a disaster. Like how I had to work on a web project with 11 direct dependencies and an npm install gave me 1300 indirect dependencies, most of which were single-function libs for the most basic poo poo like array and string utilities, because Javascript has no std lib. Totally stable and secure! It's a loving house of cards and I can't wait till it collapses.
|
# ? May 30, 2018 04:25 |
|
I really don't think the tiny module thing in of itself is a big deal, especially when you're trying to write a library that can be used in both a browser and node.js environment and size matters. What sucks is what a brittle pile of poo poo npm is in general.
|
# ? May 30, 2018 05:57 |
|
Sagacity posted:Agreed. I genuinely don't understand how a community that always has prided itself on doing things "in a simple, non-bloated way" is pooping out things like npm, webpack, "transpiling" which is not a typo for "transpiring", leftpad, is-odd (which is even odder than is-even), etc etc. To be (very, very, very) slightly kind to NPM, is-odd is made by this guy, who's famous for this and this and is basically just trying to game the system so he can claim that he's written code that's used in thousands of programs and has millions of downloads, by getting one of his trivial packages included as a dep in something, and then making his package depend on a bunch of his other poo poo. It's a bit of an outlier even for npm.
|
# ? May 30, 2018 07:25 |
|
megalodong posted:It's a bit of an outlier even for npm. From the tests: code:
(Also the tests forget to check any edge case)
|
# ? May 30, 2018 08:33 |
|
brap posted:I really don't think the tiny module thing in of itself is a big deal, especially when you're trying to write a library that can be used in both a browser and node.js environment and size matters. What sucks is what a brittle pile of poo poo npm is in general. well like, I recently hit file > new project in visual studio 2017, and I had to figure out how to use this npm poo poo to get the js client for signalR in .net to work, and it actually surprisingly wasn't awful to set up. like, I got typescript to work with import statements, my type definitions automatically download, I set up a pre-build to get the type definitions and browserfy so I don't have to check them into source control, and it's worked without blowing up for all of three day so far, and it only took three hours of reading documentation and writing custom pre-build post-build scripts. I can definitely observe progress from 2012 in this area.
|
# ? May 30, 2018 14:02 |
|
megalodong posted:To be (very, very, very) slightly kind to NPM, is-odd is made by this guy, who's famous for this and this and is basically just trying to game the system so he can claim that he's written code that's used in thousands of programs and has millions of downloads, by getting one of his trivial packages included as a dep in something, and then making his package depend on a bunch of his other poo poo. Jon Schlinkert's code is just maddening. A while back I discovered someone in our project had pulled in filter-object to, as the package name suggests, take an object and create a new object with some, but not all, of the keys of the original. Just watch how many dependencies that thing pulls in.
|
# ? May 30, 2018 18:58 |
|
qntm posted:Jon Schlinkert's code is just maddening. A while back I discovered someone in our project had pulled in filter-object to, as the package name suggests, take an object and create a new object with some, but not all, of the keys of the original. It's like one of those videos where somebody hits a dust bunny with a broom and SUDDENLY THERE ARE THOUSANDS OF SPIDERS AAAAARGHHHHH BURN THE HOUSE DOWN
|
# ? May 30, 2018 19:37 |
|
qntm posted:Jon Schlinkert's code is just maddening. A while back I discovered someone in our project had pulled in filter-object to, as the package name suggests, take an object and create a new object with some, but not all, of the keys of the original. The package kind-of shows up in those dependencies in five different versions -- 2.0.1, 3.2.2, 4.0.0, 5.1.0, and 6.0.2. How do you even get to the point where you're relying on five subtly different versions of your own code? Four other packages show up in three versions, and seventeen show up in two versions, meaning that you could remove 29 dependencies if you could always use the latest version of each dependency. I wonder if the package would still work then, or if some of the dependencies actually need to be older versions.
|
# ? May 30, 2018 20:02 |
|
Sagacity posted:Because certainly if it works for 5 elements it may not work for 50. How's that now?
|
# ? May 30, 2018 21:05 |
|
This guy figured out how to be super popular in the javascript world by linking his tiny rear end projects together that don't really do anything. Good for him. Edit: His only dev experience on his linked in profile is 6 years as a Full Stack Developer working on open source projects and thing stats on his projects. He's just trying to get paid to talk. poemdexter fucked around with this message at 21:10 on May 30, 2018 |
# ? May 30, 2018 21:07 |
|
his twitter says crypto and solidity
|
# ? May 30, 2018 21:28 |
|
qntm posted:Jon Schlinkert's code is just maddening. A while back I discovered someone in our project had pulled in filter-object to, as the package name suggests, take an object and create a new object with some, but not all, of the keys of the original. Do you do code review when adding new dependencies? In related new,s I have a group of undergrads working on some fairly simple webstuff for me (interactive graphs of performance benchmark results over time). They're smart guys and building good stuff, but I was honestly not ready for the fact that their simple data processing pipeline (transposing some JSON files) depends on half a million lines of Javascript and the frontend depends on a million and a half lines of Javascript. Their own code is less than 4000 lines total. I mean, I've read about this stuff for years, but it's quite different when you see it in your file system.
|
# ? May 30, 2018 21:29 |
|
Athas posted:Do you do code review when adding new dependencies? How do you add new dependencies without changing the code and eliciting a code review?
|
# ? May 30, 2018 21:48 |
|
Coffee Mugshot posted:How do you add new dependencies without changing the code and eliciting a code review? I believe what was meant is, do you review the code in the dependencies that you are adding? Or do you just assume that "hey, it's published code, it must be reasonable." Because I can practically guarantee you that 95+% of devs opt for the latter.
|
# ? May 30, 2018 21:50 |
|
JawnV6 posted:How's that now?
|
# ? May 30, 2018 22:09 |
|
TooMuchAbstraction posted:I believe what was meant is, do you review the code in the dependencies that you are adding? Or do you just assume that "hey, it's published code, it must be reasonable." I see. Yeah, I don't there's much value to reviewing the code in a dependency unless there is a security concern. On the other hand, deciding that an API is good and useful for your own project is a bit of a review itself, albeit informal.
|
# ? May 30, 2018 22:11 |
|
qntm posted:Jon Schlinkert's code is just maddening. A while back I discovered someone in our project had pulled in filter-object to, as the package name suggests, take an object and create a new object with some, but not all, of the keys of the original. I love there's a library called is-odd, and that it's at version 2.0 edit: scratch that - my favourite thing is the usage of five different versions of kind-of
|
# ? May 30, 2018 23:05 |
|
Never forget left-pad
|
# ? May 31, 2018 00:01 |
canis minor posted:I love there's a library called is-odd, and that it's at version 2.0 As of 5 hours ago it's on version 3.0. Even better! VikingofRock fucked around with this message at 00:14 on May 31, 2018 |
|
# ? May 31, 2018 00:09 |
|
My company has multiple bureaucracies in place to review dependencies This is for shipped products however. I don't know how they handle the website.
|
# ? May 31, 2018 00:12 |
|
VikingofRock posted:as of 5 hours ago it's on version 3.0 code:
|
# ? May 31, 2018 00:15 |
|
megalodong posted:
That sounds like a semver-breaking change. Time to rollout 4.0!
|
# ? May 31, 2018 00:27 |
|
HappyHippo posted:My company has multiple bureaucracies in place to review dependencies Do they actually check the code, or just the license?
|
# ? May 31, 2018 00:30 |
megalodong posted:
Open a pull request.
|
|
# ? May 31, 2018 00:35 |
|
brap posted:I really don't think the tiny module thing in of itself is a big deal, especially when you're trying to write a library that can be used in both a browser and node.js environment and size matters. What sucks is what a brittle pile of poo poo npm is in general. It's a big deal in that it's a huge point of failure. What if one of those tiny utility libraries that is depended on by 1000 larger libraries ships an update with a bug? Or worse, what if it it gets removed completely? I'm sure we all remember the disaster of left-pad. The lack of a std-lib that's maintained by a reliable central authority is a huge weakness of the ecosystem and is why a disaster like npm took over.
|
# ? May 31, 2018 00:35 |
|
megalodong posted:
Good thing he disabled the Issues tab, probably because of people trolling him, so all you could do is comment on that commit. Also good thing his tests don't actually cover that branch.
|
# ? May 31, 2018 00:38 |
|
Doc Hawkins posted:Do they actually check the code, or just the license? The licensing is one bureaucracy. There's also security audits. I doubt they manually review third party code however.
|
# ? May 31, 2018 00:39 |
|
I wonder how long until one of these tiny npm packages that has found it's way into a major package is updated to insert a bitcoin miner or something more malicious.
|
# ? May 31, 2018 00:42 |
|
|
# ? May 25, 2024 09:20 |
|
VikingofRock posted:Open a pull request. I don't want my name anywhere near that thing!
|
# ? May 31, 2018 00:42 |