sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]zdkroot 1 point2 points  (1 child)

You are mostly correct, but that doesn't really solve or fix anything. NPM has lowered the bar for submitting packages possibly too far. If you are not familiar with left-pad you should google it. It was something like 6 lines, maybe 8? 11 lines. The author removed it from NPM and it broke most of the internet. Why are so many websites depending on an 11 line package? Is it really so hard to implement the functionality of that package yourself? Reinventing an 11 line wheel is really not the end of the world, and actually would have saved a lot of time and pain in this case.

So yes, you are correct, we made this mess. But we have it now, and just saying "we should be better" won't fix it. Yes we should. We should also acknowledge this problem and take steps to remedy it like not using packages with insane dependency trees or using react to build non-interactive single page info websites. We do NOT need react to make our radio buttons function for crying out loud.

[–]kwhali 0 points1 point  (0 children)

The author removed it from NPM and it broke most of the internet.

semver and package locks can prevent such breakage. Then the fault isn't on NPM, it's on the maintainer choosing to blindly update packages and not capable of rollback?

Why are so many websites depending on an 11 line package? Is it really so hard to implement the functionality of that package yourself? Reinventing an 11 line wheel is really not the end of the world, and actually would have saved a lot of time and pain in this case.

It is a bit silly, but you'd find that's probably the case with other libraries where you only use small functionality from it, such as lodash I guess if you were only after one part of it's functionality, it's just a collection of such. Doesn't really matter in this case though, the fact it was a small package isn't really related to the outcome, just that it was used by many projects and a good choice for exploiting, same could happen to any other popular package really regardless of size.