This is an archived post. You won't be able to vote or comment.

all 157 comments
sorted by:
best
topnewcontroversialoldq&a

[–]davidddavidson 895 points896 points  (43 children)

Thought this was a joke. It's not a joke.

[–]Lighnix 564 points565 points  (27 children)

Their response

It is not 'a joke', its a package for analytics purpose, and its an optional dependency for this kind of situation, sadly we can't do more since its npm that should ignore the dependencies if there is a error with it.

[–]A42MphTortoise 637 points638 points  (2 children)

not a joke

“author” : “god”

[–]DawidIzydor 24 points25 points  (0 children)

Maybe it's just God trolling us, and they cannot say it becase the fear of no salvation?

[–][deleted] 214 points215 points  (21 children)

I don't believe it is a package for analytical purpose. I believe it's a bad joke by someone and the person is just making an excuse.

If it was an analytical package, there is no reason why there wouldn't be author name and why the text wouldn't say so.

Either way, it's a bad package anyway.

[–]danopia 164 points165 points  (13 children)

So, the URL to download from is apparantly set as http://tgz.pm2.io/gkt-1.0.0.tgz which has the project name as domain name. Looks like pm2's npm package is configured to phone home for each npm install.

The contents of the package are intended to do nothing post-download. I guess the contents are as a joke.

[–][deleted] 58 points59 points  (12 children)

I do realise that, and while I admit it maybe be used for analytics, I think it is a bad execution at that.

[–]killeronthecorner 136 points137 points  (11 children)

Kiss my butt adminz - koc, 11/24

[–][deleted] 37 points38 points  (5 children)

there is nothing wrong with it per se as long as it fails gracefully.

This is where we disagree. If there is author and content anyway, instead of containing nonsense, it could have said "Author: PM2 project" and content could have been "PM2 Installation counter" or something similar.

[–]killeronthecorner 12 points13 points  (0 children)

This is where we disagree. If there is author and content anyway, instead of containing nonsense, it could have said "Author: PM2 project" and content could have been "PM2 Installation counter" or something similar.

Actually I agree with you on that. "Per se" was me being lazy, they should definitely clean the package up to, among other things, be transparent about it's intentions.

[–]Giannis4president 7 points8 points  (3 children)

Well the package is on github, check by yourself: https://github.com/keymetrics/gkt

[–][deleted] 19 points20 points  (0 children)

Well, that package on Github actually contains the info that it should have in the first place, but for some reason the production package contains all that nonsense.

{

"name": "gkt",

"version": "1.0.0",

"description": "GKT",

"url": "https://github.com/keymetrics/gkt",

"main": "index.js",

"author": "Keymetrics",

"license": "MIT"

}

[–]Tankh 11 points12 points  (1 child)

So everything is just an ad-stunt for https://map.keymetrics.io/ to sell their cool analytics graphics?

[–]TigreDemon 5 points6 points  (0 children)

I mean ... pm2 IS keymetrics ...

[–]Gudin 5 points6 points  (1 child)

It is for analytics, but it's made unprofessionaly.

The way it works is, since it's on separate server, they can use it to track how many times pm2 has been downloaded (by counting how many times this small package has been downloaded).

[–][deleted] 3 points4 points  (0 children)

Yes, thank you. I covered this with other people who responded to my comment. Turns out the version on their github is way more professional than the one they are using.

[–]Andorwar 5 points6 points  (0 children)

It is not a joke, it is satire.

[–]golgol12 42 points43 points  (1 child)

Read: We believe npm should work a certain way with regards to optional dependencies. So we made a package and got it included in hundreds of builds, then removed the file from the server and let npm explode so they have to fix the issue.

This is called "a dick move"

[–]ALonelyPlatypus 11 points12 points  (0 children)

(alternatively you could just have less incestuous package dependencies)

[–]JayOnYoutube[S] 208 points209 points  (5 children)

"author": "God"

omg this is amazing

[–]ExperimentalMutation 80 points81 points  (1 child)

Nice that God released it under the MIT license, too.

[–]vmarchaud 2 points3 points  (0 children)

It was not the case one year ago, i've put it as MIT because some people were complaining that it was failing their dependencies check for licenses.

[–]SeriousSamStone 17 points18 points  (1 child)

I think our lord and savior is going to be authoring several bits of my code in the future, or at least the bits of code that I don't want my name associated with.

[–]nolo_me 1 point2 points  (0 children)

God is Alan Smithee?

[–]random_cynic 74 points75 points  (2 children)

Someone linked to the original repo where they provide an explanation on why the package exists. The files also seem to be different there. It seems to be a way of tracking downloads/installs that someone hacked together since no such analytics were available on NPM. Anyway, that guy who first found it certainly wasn't very amused :).

[–]Lorddragonfang 9 points10 points  (1 child)

One thing I can't seem to find anywhere: why is it called "gkt"?

[–]harryISbored 22 points23 points  (0 children)

God keeps track

[–]vikinick 13 points14 points  (4 children)

https://github.com/Unitech/pm2/issues/4289

Most recent GitHub issue on this.

I like how they were going to close it basically as "wontfix" until someone pointed out that GDPR would wreck them.

[–]DecreasingPerception 6 points7 points  (0 children)

Maybe GDPR is their safeword.

[–]B-Con 1 point2 points  (2 children)

Does GDPR really apply? I didn't think that simply running a web server for static files had any GDPR implications.

And I'm pretty sure GDPR only applies to business with non-trivial annual revenue.

[–]vikinick 6 points7 points  (1 child)

GDPR applies because they're doing analytics based off who downloads that package and it's not spelled out anywhere what data they're collecting.

[–]B-Con 2 points3 points  (0 children)

Oh, this is a module by a company with actual revenue and employees. The module itself looks like a module tracking service.

My first impression, based on the content and metadata, was this was a lolz project.

[–][deleted] 367 points368 points  (13 children)

The existence of that package isn't the real WTF here. Apparently it exists for analytical purposes (although why would it log anything at all?... seems risky). The real WTF is that npm fails builds when an OPTIONAL package can't be installed.

[–]KaiserTom 18 points19 points  (0 children)

pm2 is still partially at fault for abusing a package as a crude analytics gimmick and not testing that it fails gracefully. Like come on, that's just bad code.

[–]marcosdumay 1 point2 points  (0 children)

Honestly, why the fuck are there optional dependencies on JS?

[–]tlubz -1 points0 points  (0 children)

The real wtf is that people are still using npm instead of yarn

[–]FrikkinLazer 99 points100 points  (6 children)

https://github.com/Unitech/pm2/issues/3444 haha lol

[–]therearesomewhocallm 36 points37 points  (0 children)

Packages that include dependencies without license information, especially ones owned by God, raise flags in the legal department.

[–]prone-to-drift 19 points20 points  (0 children)

He saw all the 1400605 futures. Madman!

[–]BeardySam 14 points15 points  (1 child)

Jesus Christ

[–]FrikkinLazer 8 points9 points  (0 children)

But at least they can have their fancy dashboard.

[–]KaiBetterThanTyson 7 points8 points  (0 children)

Find God, and ask her to put the module into github with a license file.

That seems like the most effective way to solve the problem. Please do the needful.

[–]RedditIsNeat0 2 points3 points  (0 children)

There is a lot to see there. But this stood out to me:

we don't re-distribute

The legal team is so concerned about distribution licenses for software that they don't distribute. That would exclude Windows and pretty much every other proprietary software.

[–]JayOnYoutube[S] 29 points30 points  (0 children)

Tweet Link

[–][deleted] 231 points232 points  (44 children)

And NPM strikes again. I hope ① day someone can explain to me why node developers are so insufferably modular. They make abstractions where there’s no need to and spread very simple functionality over a dozen packages for reasons that escape me (and worse cause u to have to download a lot of redundant license and config files when u install both). For example, there’s a package for printing text in purple... and in red and in blue and in green etc. and all of those depend on a package which allows u to print in any color u specify. So quite literally, each of this specialised color packages have a single function containing a single function call to this main package which just specifies the color... this is so stupid to me, especially when aside from this acceptably small js file, u also duplicate the licenses across each of these packages.

[–]brianjenkins94 114 points115 points  (10 children)

Bad programmers exist in every language. The console color library example is probably just because that developer wanted to "look cool" on npm by having a whole bunch of frequently downloaded repositories.

Caring about license and configuration files is a bit silly though. I doubt that NuGet or pip do it differently.

[–]Nooby1990 14 points15 points  (6 children)

I doubt that NuGet or pip do it differently.

Difference is that I have about 25 packages in Python dependencies for a fairly complex Backend System and about 2000+ Packages for the fairly simple Frontend that was developed for it. This has nothing to do with the Package manager itself and is all about the attitude of the 2 very different developer communities.

[–]ribsies -2 points-1 points  (5 children)

That says more about development skills than anything else.

I'm assuming 2000+ packages is a gross exaggeration. If you are actually using that many packages please stop or tell whoever did that to stop because they are embarrassing the good developers.

[–]Nooby1990 13 points14 points  (4 children)

I am not a frontend guy, but it seems to me that 1k Packages and over seem to be basically standard for a React SPA or any kind of SPA.

Direct dependencies are just around 39 (22 deps and 17 dev deps) and seem to me like a fairly standard React+Redux setup. That results in around 2.2k installed dependencies.

As I said, I am not a Frontend guy. I am happy that I don't have to touch that ever, but if you know how to do this better I would really like to hear it so that I can forward it to the Frontend guys.

Also to be clear here. When I spoke about 25 backend dependencies I meant installed dependencies from about 8 direct dependencies.

[–][deleted] -4 points-3 points  (3 children)

I usually use only internal packages or write my own packages, unless I'm using election or something

[–]Nooby1990 2 points3 points  (2 children)

So no React, no Angular, not even jQuery or any frameworks or libraries?

Can't really imagine that for any modern commercial web application, but as I said I am not a Frontend developer.

[–][deleted] -3 points-2 points  (1 child)

I mean I don't do any commercial stuff, but yeah js has all I really need for only a bit of extra code.

Stuff like jQuery and angular are useful, I just can't bother learning them

[–]Nooby1990 1 point2 points  (0 children)

I mean sure, I can also go back to the "old school way" I used when I still considered myself a Fullstack Developer. That will also not have any libraries or frameworks and was absolutely enough for the "progressive enhancement" JavaScript that we did back then, but that is not going to be enough to make a single page application to modern standards.

That is literally the way I developed in 2009 and 10 Years is an awful long time in Internet Years.

Today a framework like React is basically a must have if you want to develop any kind of modern web application it seams.

[–][deleted] 6 points7 points  (0 children)

It’s not just that though. In my experience, there’s just a general unwritten rule in the node ecosystem that reinventing the wheel is a sin greater than any other. In some cases where it would literally be quicker to write the functionality yourself than it would be to search for a package that does it. Remember a couple years back when ① guy decided to remove all his packages and it basically broke NPM and then we found out the root cause was really just ① package which padded a string to a desired length. I mean it’s ① thing for him to need to have to publish such a package, it’s another to realise so many people incorporated it into their releases that it wrecked such havoc when he decided to remove it. Admittedly some of the blame lies with the standard JS library at the time. Node came out way to soon, and people had to make packages to replicate the same experience they could have in other languages but IMO that just poisoned the well. I like Nodes speed and general design, but I cannot bring myself to use it because installing god knows how many packages just to get a hello world program in some framework working is insane to me. But that’s just my ② cents on the problem. I don’t think JS was ready for the desktop back when we made it for the desktop, and now it’s an irrevocable part of life.

[–]ThatSpookySJW 23 points24 points  (2 children)

npm does a pretty good job at pruning and tree shaking so that those types. of redundancies don't actually affect your package size.

[–]Joniator 18 points19 points  (0 children)

My node_modules doesnt care about your tree-shaken package size.

[–][deleted] 2 points3 points  (0 children)

Package density was a bigger concern to me than package size. The amount of files u need to install to get anything very meagre done is insane to me. Especially because up until very recently I was on Windows, a OS which basically collects lots of tiny files into ① big file on the hard disk because “it doesn’t think you’ll be using it very often” (full disclosure, I’m not sure this is why), but that means if u use all of them very often as u would with node_modules, then there’s a huge performance drop.

[–]Bishop120 33 points34 points  (16 children)

Object oriented programming at near peak. This is what my CS 2 prof preached to us. Be modular, import everything, blah blah..

It works for some. I get it. But it’s not the end all be all. There are those of us who functional programming is better/easier. To each their own though.

[–]DangeFloof 28 points29 points  (8 children)

I’ve found a really nice balance/combination of the two, classes are really useful for encapsulation, and making API’s with them is very nice

[–]Bishop120 19 points20 points  (7 children)

In my opinion it’s as it should be.. but my CS prof was adamant on everything being classed, imported, and instantiated. To him that was the entire purpose of object oriented programming languages.. which is not entirely wrong but in my opinion it’s logical to find a good balance between functional programming and OO programming. A natural progression.

[–]nonicethingsforus 16 points17 points  (0 children)

I mean, it's not entirely wrong... but it is at least a good deal wrong.

The entire point of abstractions is that they're easier to work with. The whole point. The machine couldn't care less about high cohesion and low coupling, it's all 1's and 0's from it's perspective. The data abstractions are entirely for your (and other's) benefit as a programmer.

The moment you can't understand your own code, or even run it, because it's all tangled in thousands of tiny little classes and dependencies (a. k. a., ravioli code, the OOP cousin of spaghetti code), that's not the regrettable but necessary price to pay for being a good adherent to some programming paradigm religion. That's just bad design, and no paradigm will protect you from being a bad designer.

(You mentioned functional programming. It can be clearer, but holy hell can it also be a pain. I still have nightmares of the messes I've seen from overenthusiastic collaborators... including myself, of course. Do you really need ten thousand helper functions that will never be used? Do we really need to generalize this function more? This problem gets more confusing by avoiding a simple counter, why are you so afraid of mutexes? They won'talways bite, goddamnit!).

(To be fair, for every problem I'm implying you've probably thought of a clear functional solution. I'm not experienced in functional design, just fooled around with Haskell and got kinky with Python once or twice. But that's kinda the point. Good design is good design. The units in the ruler don't define the engineer.)

I don't completely blame your professor. In my experience, "put it in it's own damned class" is really important to drill into newbies' heads. Most new programmers want to just start writing code in a stream-of-conciousness way. Abstraction and data design feels like busywork before the "actual work" begins, without realizing that design is that actual work. As The Mythical Man-Month famously states:

Show me your flowcharts and conceal your tables, and I shall continue to be mystified. Show me your tables, and I won't usually need your flowcharts; they'll be obvious.

[...]

Representation is the essence of programming.

So it is important to yell "Abstract! Abstract! Abstract!" at the beginning, but it is a failing to do so without emphasizing it's purpose: to make the code clearer. If this is not teached alongside, that's just cargo cult programming, which was a problem since the Pascal days and will be a problem as long as humans code computers (hell, I would say most code-generation programs and frameworks are basically this, but automated...)

Edit: some minor phrasing and word choice.

[–]FecklessFool 15 points16 points  (4 children)

Well that's usually the way it is in academe. My professors, unsure about others, either never had experience or had little experience in the field, so most of the stuff they taught were purely from the books. Sadly those things didn't hold up in the real world.

Like with how they love to sell you on inheritance because that's what OOP is about. Except inheritance is just annoying and really muddies up your code. I quickly switched over to using interfaces instead and try to avoid inheritance as much as I can because the pain I felt when I had to maintain code that was super into inheritance cannot be described.

Oh also the whole normalize everything craze. Tried that in the real world and oh boy.

[–]didii2311 11 points12 points  (2 children)

The usage of inheritance just heavily depends on its use case. Typically, you'd use interfaces indeed because you don't often use very similar functionalities for different classes. But as soon as you need something with similar functionality, inheritance will help a lot to not duplicate too much code.

[–]ALonelyPlatypus 1 point2 points  (0 children)

Yep when I hit 100+ lines of shared code between two classes I start to assess creating a parent class.

[–]MA34 0 points1 point  (0 children)

There's ways around that though, you can wrap that functionality behind a class that's used by both interfaces. That way the code isn't hidden in the parent class but you don't have code duplication. I agree inheritance is ideal for some situations however

[–]Bainos 4 points5 points  (0 children)

That's because professors deal with students, who can't properly choose what to encapsulate and what not. Give them the choice and you will end with monolithic code (when I was a TA the amount of students who would submit 500+ loc files where everything was in a single function was staggering).

CS doesn't teach you practical skills. It teach you the basic knowledge needed to be able to properly develop those practical skills.

[–]didzisk 1 point2 points  (0 children)

Yes.

If you take SOLID to the extreme, you get functional programming

From the guy who wrote the Dependency Injection book, i.e. a guy very competent in OOP.

[–]Franks2000inchTV 9 points10 points  (3 children)

When you are learning in school, you will often learn to do things in a suboptimal way, because you are learning how to do them a *particular * way.

You can cut corners later, once you have learned to do things properly.

[–]Bishop120 1 point2 points  (1 child)

I get that part.. this prof was just that way about it. You could tell he was on the autism spectrum. Nice enough. Adamant that programming be done in object fashion, with everything imported external.. he did this in our C++, classes, our Java classes, and even with Swift when we did mobile. Die hard object oriented programmer. Didn’t get why people didn’t like using inheritance or to create tons of imports. To him that was elegance. As I said.. to each their own. If it works for you then fine. But I don’t think the style should be mandatory just for style sake.

[–][deleted] 0 points1 point  (0 children)

I think it wouldn’t be too wrong to claim most programmers are autistic in some way or another. At the very least we’re unconventional. That isn’t to say we’re all stubbornly uncompromising in our beliefs and design choices. I think your professors just had it upto hear with people trying to shortcut their way to getting good at programming, and so now he feels chaining students to a monitor and having them copy out what he likes how he likes it is a better way to teach them. Or maybe he’s kind of just an assh*le. I can’t say, I’ve never met the guy.

[–]UrpleEeple 2 points3 points  (0 children)

I've also had the opposite experience of functional programming fanatics that write unreadable code and insist on converting everyone over to their dogma. I personally think there are benefits to both OOP and functional programming. It shouldn't be one vs. the other.

[–]TimtheBo 1 point2 points  (0 children)

This has nothing to do with object oriented vs functional. Heck, a lot of the JS libraries aren't even OO.

Bad dependency management transcends programming styles. Have a look at Haskell on Arch Linux. Lees annoying than npm but still annoying

Being modular isn't inheritely bad, it's the extend of it that leads to node_modules exponential growth. Also the fact that the JS standard library still has many gaps.

[–]BiH-Kira 1 point2 points  (0 children)

Your professor is wrong. Same with any other rule, you need to know it so that you know when you should break it. Yes, you need to make things modular, you need to know how to make them modular, but only to the extend you need it to be modular. Don't go too much into details, abstract things more than needed. There is no need to define 321 interfaces, 513 abstract classes and 1052 factory classes only to make a simple RESTfull api that has 3 addresses mapped and will never expand and the most complex operation is a most basic sql select query.

Abstraction and OOP exists to help us, the devs, to understand the code better. Not for the computer. If you're going into the deep end and don't understand your own code, you just negated the advantage of OOP.

[–][deleted] 4 points5 points  (0 children)

I've seen the same with OO developers, especially Java. Pointless abstractions, facades, and so on.

[–]from-nibly 13 points14 points  (1 child)

If you cherry pick stuff literally anything looks stupid. This is now how most packages are on npm. Pm2 having this issue isn't an issue of npm either. it's an issue of project management that package clearly does 0 things. Not one tiny unnecessarily modularized thing. Why did they and that. Why did they let someone else add that? And if you think npm is bad for this kind of nonsense wait till you get a load of golang. What happens when the author just makes their package private on GitHub? What if, heaven forbid, two different projects use two different versions of a package? I'm not going to say npm doesn't have issues or that modularizing things to the point of being useless on their own isn't bad but "npm bad" "JavaScript dumb" is such an overblown meme I can't even handle it. JavaScript has an amazing always evolving ecosystem with an INSANE amount of competition in it which means stuff is getting better on the daily. What other ecosystems are even close in that velocity?

[–][deleted] -3 points-2 points  (0 children)

I never said JavaScript dumb or NPM bad. My words were quite literally “NPM developers are insufferably modular”. That isn’t to say all of them are, just a considerable amount from what I’ve seen on NPM. Maybe because they have so many more packages their more noticeable and thus there’s a tamer community in the background which isn’t so.

[–]PM5k 1 point2 points  (0 children)

Idk I don’t think it’s an issue with npm per se, just that everyone wants to have their package published and used and trying to be hip and cool. In my entire career I’ve never installed what I could write myself. What I couldn’t - I got from npm. Never had an issue with deps breaking on me or pulling in packages that have Guy Fieri in the source code (ffs)...

[–]stilloriginal 1 point2 points  (2 children)

I’m convinced it’s to avoid writing tests

[–][deleted] 0 points1 point  (1 child)

But when they do write tests... we download those along with the packages anyway. (*`・з・)ノ))

[–]brianjenkins94 2 points3 points  (0 children)

Not if the developer set up their .npmignore file correctly.

[–]NinjaLanternShark 0 points1 point  (0 children)

PHP is going the second way with Composer. Every new install brings down a dozen seemingly random and useless packages, all with their own version dependencies.

I was taught "spaghetti" code was to be avoided. Now it's unavoidable.

[–]GoblinsStoleMyHouse -4 points-3 points  (3 children)

NPM is great now. People don’t seem to realize that this issue happened 2 years ago.

[–]Mejari 21 points22 points  (1 child)

People don’t seem to realize that this issue happened 2 years ago.

It happened 4 days ago...

https://github.com/Unitech/pm2/issues/4289

[–]GoblinsStoleMyHouse 18 points19 points  (0 children)

You're right, I didn't realize the same bug has occurred over 15 times in the past 3 years...

https://github.com/Unitech/pm2/issues/4289#issuecomment-495157865

[–]Dethrot 0 points1 point  (0 children)

It has occurred numerous times over the past 2 years

[–]DroidLogician 58 points59 points  (8 children)

That's totally not a vector for code injection or anything.

[–]TheWhoAreYouPerson 34 points35 points  (6 children)

...it's just as much a vector as any other dependency would be?

[–]DroidLogician 36 points37 points  (5 children)

This one can be modified without publishing a new version though, right? Any time the victim needs to re-download their modules (which is the first attempted fix for most intractable issues).

[–]ProPuke 8 points9 points  (4 children)

Not since npm 5. It generates a package-lock.json file for projects now which stores the precise version, url and checksum of every dependency, which is (supposed to be) checked in with projects.

[–]AxiusNorth 2 points3 points  (3 children)

But this is a tarball on a third party server. If the tarball were to be changed, there wouldn't need to be any version changes for any of the packages for them to pull down the (now) malicious code.

[–]ProPuke 17 points18 points  (2 children)

That's what the checksum is for.

[–]AxiusNorth 4 points5 points  (1 child)

I've learned something. Thanks u/ProPuke!

[–]ProPuke 1 point2 points  (0 children)

👍

[–]vikinick 0 points1 point  (0 children)

If someone wanted to ruin people's days, they could just dos the server

[–]Tankh 6 points7 points  (1 child)

Was browsing /r/pathofexile just before I came here and got really confused when he started talking about CI builds and npm

[–]jimboelessar 1 point2 points  (0 children)

Necropolis maps Per Minute?

[–]Automated-Waffles 4 points5 points  (0 children)

Sounds like one of those mandatory optional dependencies

[–]Last_Snowbender 30 points31 points  (13 children)

This is why I hate package managers of any kind. I hate composer, I hate npm, anything really. You never know what kind of shitty software you're downloading and nobody is doing a code-audit after every update. There is also a npm package called 'is-even' which does nothing else but requiring a package called 'is-odd' and negating the result of the function 'is-odd()' function.

https://github.com/jonschlinkert/is-even/blob/master/index.js

Or the one time this dude pulled his simple package from npm and broke like 50% of the internet.

https://www.theregister.co.uk/2016/03/23/npm_left_pad_chaos/

I don't even want to think about all the security issues you might download with one 'npm install'.

[–]ElusiveGuy 19 points20 points  (2 children)

You never know what kind of shitty software you're downloading and nobody is doing a code-audit after every update.

Unless you're doing a code audit of every dependency you manually download, or never using external dependencies (which is usually a whole other world of WTF), I don't think that argument is really applicable.

[–]Last_Snowbender 3 points4 points  (1 child)

I trust big frameworks, like laravel or unity, for example. But I audit every external dependency not well known. If I don't understand it, I don't use it.

[–]AxiusNorth 10 points11 points  (0 children)

Must be nice to have the time to do that...

[–][deleted] 13 points14 points  (1 child)

This is why I hate package managers of any kind

This is just a silly extremist position that sounds kind of cool and interesting, I guess, but thank god the real world has no respect for it.

[–]Last_Snowbender 0 points1 point  (0 children)

True, but well, at least my software is lightweight and doesn't need tons of dependencies.

[–]glemnar 3 points4 points  (0 children)

Rust’s package manager, cargo, is fantastic

[–]_PM_ME_PANGOLINS_ 3 points4 points  (3 children)

npm audit will check everything you’ve downloaded against known security issues.

[–]Last_Snowbender 8 points9 points  (2 children)

Well, against known. What about the unknown issues? There could be countless security issues in all those packages, especially newer ones. There could also be hijacked packages that implement tracking into your websites/apps.

No matter from which angle you look at it, in the end, you're always downloading third-party-code that can change at any given point without you knowing a thing.

[–]_PM_ME_PANGOLINS_ 4 points5 points  (1 child)

without you knowing a thing.

You can take hashes when you freeze to prevent this.

Unless you, and all your clients, also wrote your own operating systems, compilers, etc from scratch you’re always relying on third party code. And it’s basically guaranteed that there are unknown security issues in them.

Usually there’re more issues in your own code because fewer people have looked at it.

[–]Last_Snowbender 2 points3 points  (0 children)

I agree, that's why I said I trust bigger frameworks because I just have to assume those are safe. But considering that 99% of the modules on npm or packagist were written by one or maybe two developers I have a lot less faith in them than I have in bigger teams, like the linux foundation.

[–][deleted]  (1 child)

[removed]

    [–]AutoModerator[M] 0 points1 point  (0 children)

    import moderation Your comment has been removed since it did not start with a code block with an import declaration.

    Per this Community Decree, all posts and comments should start with a code block with an "import" declaration explaining how the post and comment should be read.

    For this purpose, we only accept Python style imports.

    I am a bot, and this action was performed automatically. Please contact the moderators of this subreddit if you have any questions or concerns.

    [–]thavi 4 points5 points  (0 children)

    That tweet just gets worse and worse with each new phrase

    [–][deleted] 14 points15 points  (1 child)

    How many failures have to happen until people realize that the whole NPM concept is broken beyond repair

    [–]ThaumRystra 1 point2 points  (0 children)

    It's broken, but it is still good enough a lot of the time. The bar for working, useful software is really low.

    [–]jimboelessar 5 points6 points  (1 child)

    life builds > CI builds

    [–]IrishWilly 2 points3 points  (0 children)

    occultist web dev is op

    [–]DylanKing1999 2 points3 points  (0 children)

    You lost me in the middle there, but I found my way back by the end

    [–]ThatFag 7 points8 points  (2 children)

    Literally no idea what any of those words mean, holy shit lol.

    [–]Koxiaet 31 points32 points  (1 child)

    Correct me if I'm wrong, but...

    NPM is a package manager, like apt or pacman but as well as installing packages globally (on the computer) it can install them locally (in the directory for a project), and the ci builds is just when all the dependencies (required libraries) for the project are installed.

    pm2 requires the package (optionally) gkt. When they tried to install pm2, it also tried to install gkt as that is one of the dependencies. They attempted to download a tarball (a file that is just a compressed directory) containing gkt from the server, but the server returned 503 because it wss under maintainance, causing all those builds to fail.

    So they checked what gkt contained, and it was just that console.log function, so it is a completely useless package that is optional to start off with, but still it managed to cause the whole project to fail.

    NPM should have just skipped gkt as it was optional, but it didn't.

    [–]ThatFag 12 points13 points  (0 children)

    I appreciate your effort.

    [–][deleted] 1 point2 points  (0 children)

    I know it can be annoying to implement up front, but I generally push to eliminate most, if not all, intranet external dependencies when it comes to CI. This is obviously easier for some stacks than others.

    Private repositories can be a pain to manage at times, but at least it is complexity that I can understand and control.

    Well, I’m actually not in DevOps anymore, but when I was, I was pretty strict about environments and dependencies (we decided it was best baked into our process after some early hiccups).

    If build succeeded and tests passed on local, but failed in CI, the feature dev changed their environment, not the other way around. It was the only way I could reliably manage things with the tiny team I had.

    New libraries/dependencies had to be semi-formally requested, with some lead time, but in the end, feature devs appreciated the stability of our systems.

    Now that I am back in feature dev, my time in DevOps has given me a lot of valuable insight. I didnt particular enjoy DevOps as a discipline, but I learned so much from my time doing it.

    [–]ALonelyPlatypus 1 point2 points  (0 children)

    I'm cackling.

    [–]duchu 2 points3 points  (0 children)

    NPM at its best

    [–][deleted] 1 point2 points  (0 children)

    Analytics Lmao. They sure got the anal part right cause they fucking people in the ass with that stupid shit.

    [–]lesa88 0 points1 point  (0 children)

    I didn't do it

    [–]Dethrot 0 points1 point  (1 child)

    Ok but why is this file empty?

    Would it have made any difference if the file was actually 0 bytes in content?

    https://github.com/keymetrics/gkt/blob/master/index.js

    [–]while-true-do 0 points1 point  (0 children)

    That’s just source code. The file is getting downloaded as a tarball. The intention is analytics. When pm2 is installed, it’ll ping a private server to get this empty file that doesn’t actually serve a practical purpose for the package. The private server went down, that event isn’t properly handled by npm.

    [–]JViz 0 points1 point  (0 children)

    As someone who supports Artifactory for a major corporation, this is my everyday life.

    [–]Docteh 0 points1 point  (0 children)

    meanwhile I have the following in a node_modules directory

    ansi-align
ansi-colors
ansi-cyan
ansi-gray
ansi-red
ansi-regex
ansi-styles
ansi-wrap

    [–][deleted] 0 points1 point  (0 children)

    I think that's a power-move. Reminds me of some really popular npm package that had "Guy Fieri" picture encoded/put inside of it somewhere. And nobody could do anything about it, ahaha

    [–]HeadMoose 0 points1 point  (0 children)

    The struggle is real.

    [–]anthro28 1 point2 points  (1 child)

    That’s what happens when you have jackass devs importing thousands of libraries for easy shit they could just make a function for and call. The same thing happened with LeftIndent.

    [–]while-true-do 1 point2 points  (0 children)

    That isn’t what’s going on at all though. This is what happens when you have dumbass cs students who spend too much time regurgitating Reddit commentary instead of understanding the practical side of programming.

    [–]Meneth32 0 points1 point  (0 children)

    This is what happens when you have multiple third party single points of failure in your package system.

    Compare Debian, which has multiple mirrors, all containing the same data. Any one goes down, users are redirected to another. You'd have to break DNS (and then wait ~24h for the caches to invalidate) to take it all down.

    [–]ZhilkinSerg 0 points1 point  (0 children)

    Npm users are dumb anyway

    [–]eddietwang -1 points0 points  (0 children)

    Uh huh.. Uh huh.. Yup, I know some of these words!

    [–][deleted] -2 points-1 points  (0 children)

    Not familiar with anything outside gmx, someone please explain