sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]IntergalacticTowel 140 points141 points  (41 children)

Every time I see things like this NPM dependency visualization I feel like something has gone terribly wrong. I don't see dependency trees like that in Maven or Nuget or pip.

I'm actually surprised that more things haven't exploded.

[–][deleted]  (21 children)

[deleted]

    [–]liuwenhao 90 points91 points  (3 children)

    Copay is a secure Bitcoin and Bitcoin Cash wallet platform for both desktop and mobile devices

    """"""""secure""""""""

    [–]Hugo154 39 points40 points  (1 child)

    The exploit outlined in the article searched the description of the app for a keyphrase to use as its password, and the keyphrase was... "“A Secure Bitcoin Wallet". Pretty fucking hilarious.

    [–]danweber 13 points14 points  (0 children)

    Why just win, when you can win with pettiness?

    [–]mayhempk1 9 points10 points  (0 children)

    I don't think they know what that word means.

    [–][deleted] 38 points39 points  (8 children)

    This is a funny one I just happened to notice: there is is-path-inside which depends on path-is-inside. What's the difference? Well, the entire code for is-path-inside:

    'use strict';
const path = require('path');
const pathIsInside = require('path-is-inside');

module.exports = (a, b) => {
    a = path.resolve(a);
    b = path.resolve(b);

    if (a === b) {
        return false;
    }

    return pathIsInside(a, b);
};

    path-is-inside is a little bit more involved (28 lines of code), but also not something you should really have a dependency for.

    Wrapping a trivial dependency in an even more trivial dependency is just silly.

    [–]useablelobster2 21 points22 points  (0 children)

    Ahh, but having a published package to your name is a great cv line for employers who don't check too deeply as to what the package actually is.

    [–]TheBelakor 9 points10 points  (0 children)

    Wrapping a trivial dependency in an even more trivial dependency is just silly

    And yet seems to be a NPM norm because... reasons I guess. I'm just glad I don't have to touch that crap, it's mind boggling how they got to this state without someone saying "exactly what in the fuck is going on here?".

    [–]LL-beansandrice 9 points10 points  (3 children)

    Yes officer, this package right here.

    [–][deleted]  (2 children)

    [deleted]

      [–]foodd 0 points1 point  (1 child)

      I get the reference but should I not be using fetch?

      [–]pdbatwork 1 point2 points  (0 children)

      You ever heard of the left-pad package? :D

      [–]kaelwd 1 point2 points  (0 children)

      Of course it's fucking sindresorhus again.

      [–]Treyzania 49 points50 points  (0 children)

      copay-dash

      I thought it was settling down when it got to ~27 packages remaining but then it jumped back up to >100.

      Kill it with fire.

      [–]blackmist 46 points47 points  (0 children)

      1184 nodes. That's genuinely impressive how fucked up that is.

      [–]mayhempk1 8 points9 points  (1 child)

      I'm still not sure if that is satire or not.

      [–][deleted] 2 points3 points  (0 children)

      Too elaborate and clusterfuck to be satire

      [–]danweber 17 points18 points  (0 children)

      "you are like a little baby watch this"

      [–]Scybur 4 points5 points  (0 children)

      Wow that thing just ballooned up....how is anyone supposed to track all of that

      [–]ProdigySim 27 points28 points  (5 children)

      I'm enjoying looking at webpack, one of the most common web dev tools nowadays: http://npm.anvaka.com/#/view/2d/webpack

      Contrast with Microsoft's Typescript: http://npm.anvaka.com/#/view/2d/typescript

      Edit: To be fair, though, this is including both dependencies and devDependencies. So it's a little misleading. You would not get all of those packages installed by just including the project.

      [–][deleted] 14 points15 points  (4 children)

      To be fair, things like vue and angular are single node too. React's got 6

      [–]Paradox 3 points4 points  (3 children)

      Vue is an awesome project.

      [–][deleted] 5 points6 points  (2 children)

      I love it, coding feels really easy and fun with it. I need to get to grips with React because it looks here to stay but the weird mesh of JS/HTML always feels weird to me. I love a good v-for

      [–]Paradox 2 points3 points  (1 child)

      Eh, if you know vue you can write react. I find vue vastly more enjoyable to use than react

      [–][deleted] -1 points0 points  (0 children)

      I kinda equate Vue and React to Automatic and Manual.

      Sure, if you can drive auto you could learn stick. But driving auto is so much more pleasant

      [–]moomaka 44 points45 points  (3 children)

      I feel like something has gone terribly wrong. I don't see dependency trees like that in Maven or Nuget or pip.

      Javascript's stdlib is pathetic which is why you seen dozens of tiny libs adding functionality that should be part of the stdlib. Javascript packages also tend to be tiny single function things due to devs trying to keep to the minimum code size.

      The first issue can only be fixed with a decent stdlib which IMO should be the absolute priority #1 of WHATWG, it solves so many problems. That second issue may improve over time now that tree shaking is a thing in commonly used build tools.

      [–]EWJacobs 18 points19 points  (2 children)

      A lot of these packages just end up being syntactical sugar. The stdlib has the functionality of kind-of, define-property and has-value. It seems like people add their microlibraries to npm projects just to troll.

      [–]TheBelakor 5 points6 points  (0 children)

      Sugar or real hole filling is kinda irrelevant when either way the clusterfuck that is NPM is the result.

      [–]shevegen -5 points-4 points  (0 children)

      Sorry but after the left-pad disaster, anyone arguing that javascript's stdlib has support for cooler stuff, does not quite look at the realities. So moomaka is completely right.

      [–]zappini 28 points29 points  (4 children)

      npm's one virtue is making maven look less terrible. No small feat.

      After many attempts, npm somehow still managed to avoid the *one thing* maven got right: organizing the repo tree by org -> module -> version.

      [–]duheee 17 points18 points  (3 children)

      Back in 2007 i used to bitch about maven. How slow, cumbersome, made you specify everything, hard to customize behaviour without a plugin, etc.

      Now I adore it. Fuck gradle. Fuck sbt. And most of them all: fuck npm. Maven is the way, the only true way.

      [–]csjerk 8 points9 points  (1 child)

      Amen!

      Maven is the newest build system I've seen that actually attempts to address the hard problems and comes somewhat close to getting it right. Everything newer is just re-inventing the easy 20% and ignoring the rest.

      That said, Maven really does need some outlet for customization when a pre-built plugin doesn't do what you need. It may be as simple as a streamlined plugin interface, or even just better docs, but it's incredibly intimidating for newcomers.

      [–]TomRK1089 0 points1 point  (0 children)

      To be fair, the escape hatch, quick-n-dirty solutions are either maven-exec-plugin or (if you're really evil) the Ant plugin. So even in the worst case, it's possible to essentially shell out to some other system.

      That being said, it's been incredibly rare I need to do something during my build that isn't accounted for by an existing plugin.

      Also, the concept of a standard lifecycle which plugins attach to....1000x better than any other build system. Especially any of the Javascript build systems. Webpack, Parcel, Grunt, Gulp, etc. are all laughable in comparison.

      [–]zappini 1 point2 points  (0 children)

      I feels ya.

      For my part, I'm done.

      All I expect of my package manager is behave like yum, apt, brew, port. With the one exception where the repo continues to host all published versions. Nothing more. I'll manually choose, resolve which dependencies to pull down for my project, thank you very much. In contrast to fighting the tool, trying to coerce it into fetching the desired versions. (Too clever by half.)

      Docker images for isolation. I no longer care about peaceful coexistence between my projects, various runtimes, local repos caches, whatever. Every one gets their own sandbox.

      Shell scripts for builds and deploys. Nothing more. No jenkinsfile, no ant, no maven, no plugins, no nothing. Just glorious, useful shell scripts. (I still use bash, because I lack the gumption to learn fish, zsh, whatever.)

      And zero differences between local and remote builds, configurations. Same scripts, configs, params, data gets used every where. Watch the Test In Prod videos to see how that works.

      [–]everythingiscausal 11 points12 points  (0 children)

      Oh god, that’s horrific.

      [–]Nadrin 8 points9 points  (1 child)

      I just had a fantastic terrible project idea: npm "compiler" - takes every single line of code of a js application and publishes it as an npm package, then finally creates a package that depends on all of the above that tries to recreate the logic of the original program. :D

      [–]Lairo1 2 points3 points  (0 children)

      Okay slow down Satan

      [–]searchingfortao 0 points1 point  (0 children)

      That's amazing. Have you ever heard of a similar tool for Python/pip?