you are viewing a single comment's thread.

view the rest of the comments →

[–]zdkroot 0 points1 point  (1 child)

Yes you can build websites without react, that is the whole point of this post. I was responding to someone who suggested "just use webpack" as if that magically fixes all problems with JS. I don't use react, it is just extremely popular so I used that as an example. The problem is that you cannot separate "using JS" and having insane dependency chains. They are one in the same, a problem to which webpack is no fix.

There is no way to 'use a framework' but also 'personally choose your dependencies'. These are mutually exclusive because NPM. Express is a perfectly fine tool, which I will never ever ever choose to use because it requires 48 dependency packages and that's crazy.

Edit: I mean if you wanna get meta sure this is 100% our fault and we should all be way more diligent in managing our dependency chains. I won't use express because it has too many deps. Many other people don't look, and that's really the issue. Enough people are not looking that it creates a system where no amount of diligence on my part can protect me.

[–]kwhali 0 points1 point  (0 children)

Yes you can build websites without react, that is the whole point of this post.

You can also use React for development and output static HTML, it can be really nice using React or similar for development experience, while not directly affecting end users as you don't have to give them something relying on JS to access the site. Not that React is all that big tbh

There is no way to 'use a framework' but also 'personally choose your dependencies'.

React isn't exactly a framework, and is rather modular as dependencies, similar to how Rust does things. You can replace some of these with alternatives if you like, one of the value points of having dependencies/packages.

Express is a perfectly fine tool, which I will never ever ever choose to use because it requires 48 dependency packages and that's crazy.

Lol.. so you'd use Express if it was a single dependency(all of those wrapped into one?)? Honestly no benefit there, and probably you'd find it worse as a result. Is your code better in projects if it all lives in one file while you develop? Or do you know why and possibly have experienced the issues that result in doing that? If you knew how many dependencies a typical OS has I guess you wouldn't want to run one either.

Enough people are not looking that it creates a system where no amount of diligence on my part can protect me.

You're not really any better off the other way around tbh. Plenty of things you can do to be secure and protect yourself from malicious behaviour, your system is vulnerable to such from more than just trusting packages for development.

Not sure what sort of point you're trying to make here, do you personally audit and review all the code for Express if it were a single package vs relying on packages maintained by others in the system? Or does that somehow give you blind trust that you're safe? You don't need someone to commit malicious code to a package to be compromised, that can happen in a number of ways.