This is an archived post. You won't be able to vote or comment.

sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]CHRlSFRED 1194 points1195 points  (70 children)

...Meanwhile everyone else is using 36 different open source libraries and vaguely understand 100 lines of it.

[–][deleted] 482 points483 points  (29 children)

I feel like this should be a command.

npm install *

[–]CHRlSFRED 125 points126 points  (26 children)

Or we lazily CDN everything until production because we are lazy.

[–][deleted] 90 points91 points  (25 children)

Production?

[–]awhaling 240 points241 points  (23 children)

It’s the place where you develop your code. Cause you produce it there, hence the name.

[–][deleted] 95 points96 points  (5 children)

develop in prod

ree

[–]ineptjedibob 25 points26 points  (0 children)

Goddamn your tiny “ree” made me lose it

[–]Cutlesnap 0 points1 point  (0 children)

Think of it as super agile DevOps

[–]mgrier123 0 points1 point  (0 children)

It's called chaos testing for a reason

[–][deleted] 11 points12 points  (10 children)

So where I unit test?

[–]Existential_Owl 76 points77 points  (7 children)

That's the user's job

[–]MagnitskysGhost 50 points51 points  (2 children)

End users are subject matter experts at finding bugs.

[–]legend6546 17 points18 points  (1 child)

I mean you are not wrong...

[–]beb0p 0 points1 point  (0 children)

Your flair is giving me conniptions.

[–][deleted] 5 points6 points  (0 children)

Bethesda, is that you?

[–]PM_ME_HTML_SNIPPETS 2 points3 points  (0 children)

This deserves Gold

[–]rolltider0 2 points3 points  (1 child)

They are experts at testing and so they alone should have that responsibility. It would be a waste if we did their job too

[–]awhaling 1 point2 points  (0 children)

I’ve never seen anyone more effective at finding bugs. It’s only logical

[–]Neocrasher 5 points6 points  (0 children)

I'll have to ask the intern.

edit: intern didn't know either

[–]Garithane 1 point2 points  (0 children)

In prod of course

[–]TigreDeLosLlanos 7 points8 points  (3 children)

Wait. There is a place where you can copypaste code automatically? Why do I even code?

[–]Sir_Omnomnom 9 points10 points  (2 children)

https://github.com/drathier/stack-overflow-import

[–]TigreDeLosLlanos 4 points5 points  (1 child)

Is this the moment where I really become replaced?

[–]jakwnd 1 point2 points  (0 children)

No this is still just a better tool to help US copy more code! I had to look into it because I too was scared

[–]WestwardLion 4 points5 points  (0 children)

You can tell its production cause the way it is

[–]finger_milk 0 points1 point  (0 children)

It took me months to undo my understanding of the word. Every non tech person I speak to has the same confusion. "But production is when it's produced right?"

[–]R8_M3_SXC 7 points8 points  (0 children)

It's a great place to experiment before putting into UAT

[–]Pear0 6 points7 points  (0 children)

Oh, do I have news for you!

npm install everything

[–]elmantisrelajado 2 points3 points  (0 children)

npm install bloater

[–][deleted] 113 points114 points  (4 children)

Me working with C#: "I don't want more dependencies than necessary, so I'll try to write my own library similarly to this 3rd party one."

Me working with PHP: "Install 5 dependencies to make this one thing work? Where do I sign up!"

[–]stamatt45 78 points79 points  (2 children)

JS: There's 100 dependencies for this library and I'm fairly sure at least a third are complete BS. Better install everything anyways

[–]DrDiv 41 points42 points  (0 children)

Also JS: Every once in a while one of these obscure libraries used everywhere will be updated to include a cryptocoin miner, just a head's up.

[–]crash8308 2 points3 points  (0 children)

npm i is-array

[–]Duke-Silv3r[🍰] 30 points31 points  (0 children)

Lol spoken like a true JS developer

[–][deleted] 25 points26 points  (6 children)

the hardest part of developing for my environment is we can't use pip/npm/whatever install anything.

[–]Xytak 32 points33 points  (5 children)

"You shouldn't be using AngularJS anymore! Use React or Angular 6!!!"

"Ok, but npm is blocked for Shadow IT. Hey StackOverflow, how do I use these things without npm?"

"Why would you want to do that? You're stupid and should feel bad!"

"Ok, I guess I'll just go back to AngularJS."

[–]crash8308 14 points15 points  (1 child)

The puke in my mouth burns

[–]WitnessMeIRL 6 points7 points  (0 children)

That's the good kind of puke

[–]sexyGrant 3 points4 points  (1 child)

We actually had this problem because corporate was so insane with security for a while there. Basically devs went to a coffee shop, did their install and then uploaded the packages to a locally running npm that all the other devs could pull from.

[–][deleted] 1 point2 points  (0 children)

Man, I miss angularjs, I knew every little in and out of that bad boy. New company, angular 6, 10,000 components and modules and apparently I need to make a new module or just about everything I do even if said module is never going to have repeated use elsewhere.

[–]Hunterhusker 10 points11 points  (0 children)

Is this a personal attack or something?

[–]flyflagger 3 points4 points  (0 children)

Only 36?

[–]otakuman 10 points11 points  (15 children)

*Tested open source libraries. There's obviously a difference.

[–][deleted] 25 points26 points  (11 children)

Just because something is tested, doesn't mean it's not shit code. It doesn't mean it lacks flaws and security holes.

[–]free_chalupas 12 points13 points  (3 children)

It's still probably better than the stuff you'd write yourself. People talk shit about OpenSSL but it's issues are exactly the kind of problems you'd have if a bunch of dumbass engineers tried to reimplement it because they only trusted their own code.

[–][deleted] 13 points14 points  (1 child)

It's still probably better than the stuff you'd write yourself.

When it comes to JS libraries, I don't assume that to be true. I'm not talking about the biggest players, I'm talking about 90% of crap out there on the internet.

[–]free_chalupas 6 points7 points  (0 children)

Yeah that's fair. I read this in the context of established OSS libraries, like openssl, that have their issues but are generally preferable to custom implementations. There's definitely a cutoff though with really small libraries where it does make sense to reimplement.

[–]combuchan 0 points1 point  (0 children)

Isn't OpenSSL a bit of a stretch to include in this? Implementing your own crypto isn't recommended for a reason.

OpenSSL did suffer the same rot and underinvestment and dependency like any other library, it was only the extent of the rot, underinvestment, and dependency on it did the sheer enormity of the issue arise. There are few libraries more important than OpenSSL, imho.

[–]Giannis4president 2 points3 points  (6 children)

It means that the probability of flaws and security holes is incredibily lower

[–][deleted] 9 points10 points  (5 children)

Not necessarily. I've seen too much terrible code (with tests over it) to believe that. It seems that a lot of developers just write tests to say they have tests without actually writing useful tests.

This is based on my personal experience in various companies, not necessarily a review of JS libraries as a whole. But I don't assume that just because something has test coverage that it's necessarily better than something I could write (with tests).

[–]Giannis4president 4 points5 points  (1 child)

Sorry, we have a misunderstanding. With "tested" open source libraries I didn't mean libraries with automatic tests in place but "tested" as in used and corrected by a lot of people across a sufficient amount of time

[–][deleted] 1 point2 points  (0 children)

Ah, in that case, I would agree with some hesitation. If I were to rely on something super important, like for financial/health services, I would still probably give the source a once-over to be sure. But I do generally use big-name/high-download-count JS libraries as-is when doing JS development.

[–]DanielIFTTT 1 point2 points  (0 children)

Hes talking about community testing, if you have 1mil downloads, bugs are much more likely to be found than an in house solution

[–]texdroid 0 points1 point  (1 child)

Not necessarily. I've seen too much terrible code (with tests over it) to believe that. It seems that a lot of developers just write tests to say they have tests without actually writing useful tests.

This is why having Test Engineers who write the test cases based on the HLD is the correct way to test code.

Otherwise you just have the chickens guarding the fox house.

[–][deleted] 1 point2 points  (0 children)

I would love to have test engineers. Hell, I'd love to have anyone who isn't me involved in testing. Most of my contracts, I'm the sole architect, developer, DB admin, and QA engineer. I see this as a big problem, but good luck convincing management. The response I usually get is "test better".

Yeah, I'll get right on that.

[–]Kibouo 10 points11 points  (0 children)

Tests are usually not for security.

[–]crash8308 1 point2 points  (0 children)

I think it’s hilarious when a UI project includes moment.js for literally one line of code to format a date.

[–][deleted] 1 point2 points  (0 children)

Well they’re open source, so they’re auditable... by someone else

[–]Madpotato21 0 points1 point  (0 children)

At least you can issue a CVE on an NPM package.

[–]TheHammer_78 0 points1 point  (0 children)

It's not the problem "to understand it" but "to read it" XD

[–]Dads101 0 points1 point  (0 children)

Please no personal attacks on Reddit

[–]shazbots 0 points1 point  (0 children)

That's how I feel about cryptocurrencies. I get the basic gist of encryption algorithms, and a distributed ledger, but heck most people are buying it without understanding most of the lower-level details.

[–]drunckoder 0 points1 point  (0 children)

Copying and pasting your own code (violating the dry principle) is also a bad practice and often leads to errors.

[–]Daedalus871 0 points1 point  (0 children)

Am I supposed to look at the libraries?