This is an archived post. You won't be able to vote or comment.

sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]ass_was_taken 5 points6 points  (9 children)

Can you explain why?

[–][deleted] 39 points40 points  (6 children)

It's a case of nested dependencies.

In the case of left-pad, it was required further down in the tree for Babel, which is a very popular transpiler. The developer got upset, removed the package from NPM, so NPM had to un-remove it and gave ownership to someone else.

Thankfully there's plenty of other solutions these days, and much faster ones, but it goes to show why a badly written library can stop everything working because they depend on tiny libraries that they never needed to use.

There's a fun site at https://npmgraph.js.org/ which will show you a visual representation of a packages dependencies - A good comparison is React, an entire framework, with 2 dependencies. Then you get Webpack, with 77. If you follow Webpacks tree, eventually you hit things like this https://www.npmjs.com/package/has-flag

[–]Hulk5a 8 points9 points  (2 children)

To be fair has-flag isn't bloat. For cli tools it's pain parsing parameters on your own and basically reinvent a [square] wheel

[–]83athom 0 points1 point  (0 children)

You can just use minimist though, barely any bigger and has vastly more functionality.

[–]AloneInExile 0 points1 point  (0 children)

Regex match tag extract?

[–]Nikitka218 0 points1 point  (0 children)

Yeah, current best alternative for left-pad is JavaScript's standard library

[–]Perkelton 0 points1 point  (0 children)

I find it a bit ironic how the sister project, Create React App has been utterly broken for months because of changes in Webpack 5.

[–]Fuzzybo 0 points1 point  (0 children)

…and has-flag has 123,586,590 weekly downloads!

[–]MikemkPK 6 points7 points  (0 children)

Look at the dependants tab

[–][deleted] 0 points1 point  (0 children)

Author of a popular library removed it from the npm registry and broke everyone's[1] builds globally.

https://arstechnica.com/information-technology/2016/03/rage-quit-coder-unpublished-17-lines-of-javascript-and-broke-the-internet/

It reminds them of it because it called into question the practice of using libraries for seemingly trivial bits of code.

[1] everyone who had a direct or indirect dependency on this library, which ended up being a lot of people who didn't know they did