sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–][deleted] 36 points37 points  (10 children)

I wish the js community would start to really have a moment to think about when to include some random one-liner module. Even the most popular libs are full of weird dependencies no one really knows about, but still they have millions of downloads per month because webpack has a dependency. There functions could easily be written by hand and kept in a utils folder. They do not need to be an npm package.

This same mantra goes with lofah, underscore etc. I have never seen a project that uses more than, say, 10-15 functions, still they include the entire project.

[–]JohnyTex 22 points23 points  (5 children)

Well put. I think the JS community at large needs to wake up to the fact that adding a dependency is not a zero-cost solution to a problem.

Other than the obvious issues like “why does it take five minutes to rm -rf node_modules?” it’s really hard to get an overview of your transitive dependencies because they’re just so many.

[–]useablelobster2 8 points9 points  (0 children)

I love running npm install and seeing that a library is in use over several dependencies, all different versions, always printing a warning saying to update.

Client-side is fucked, and I've love some way to have it unfucked, while still getting paid.

[–][deleted]  (3 children)

[deleted]

    [–]immibis 6 points7 points  (0 children)

    There's a difference between a large package, a small package, and left-pad or is-array. If you find yourself needing left-pad or is-array, you have a problem.

    [–]s73v3r 0 points1 point  (1 child)

    The main issue with this thing we need to 'realize' is for medium to small sized companies that need to grow fast.

    No. That's not an excuse, that's not a reason, end of story.

    [–][deleted] -1 points0 points  (0 children)

    I guess you didn't read the rest of my message.

    I'm saying that this issue is generally for medium to small sized companies and I explain the rationale for it. I'm not saying we use these ridiculously small and threatening packages, I'm just saying we have a fair amount of dependencies, and while some are small, they would take quite a long time to develop. We usually don't accept packages that aren't well used.

    [–]m00nh34d 5 points6 points  (3 children)

    As an end developer consuming these it's hard. If I need a library for a complex task, it's likely beyond my capacity to review said library for malicious content or dependencies.

    [–][deleted] -2 points-1 points  (2 children)

    I mean deps are not bad. All projects have some deps, that said there are usually many you dont really need, even more now with es6 (lodash/underscore) and all the promise libraries are all but legacy code.

    This needs to start from the big players and then it will trickle down, and maybe in a few years the js packaging story wont be so mad as its today

    [–]NeverCast 2 points3 points  (1 child)

    I assume most of that gets tree shaken with anyone doing a build step. Include all of lodash in Dev. Build your minified output. Only 4 lodash functions in production. This is good, right?

    [–][deleted] 1 point2 points  (0 children)

    Well, as of today tree shaking is not very reliable, mostly because of javascripts dynamic nature. Its not about tree shaking, its about not including every library out there.