Slashdot Mirror
How One Dev Broke Node and Thousands of Projects In 11 Lines of JavaScript (theregister.co.uk)
An anonymous reader quotes an article written by Chris Williams for The Register: Programmers were left staring at broken builds and failed installations on Tuesday after someone toppled the Jenga tower of JavaScript. A couple of hours ago, Azer Koculu unpublished more than 250 of his modules from NPM, which is a popular package manager used by JavaScript projects to install dependencies. Koculu yanked his source code because, we're told, one of the modules was called Kik and that apparently attracted the attention of lawyers representing the instant-messaging app of the same name. According to Koculu, Kik's briefs told him to take down the module, he refused, so the lawyers went to NPM's admins claiming brand infringement. When NPM took Kik away from the developer, he was furious and unpublished all of his NPM-managed modules. 'This situation made me realize that NPM is someone's private land where corporate is more powerful than the people, and I do open source because Power To The People,' Koculu blogged. Unfortunately, one of those dependencies was left-pad. It pads out the lefthand-side of strings with zeroes or spaces. And thousands of projects including Node and Babel relied on it. With left-pad removed from NPM, these applications and widely used bits of open-source infrastructure were unable to obtain the dependency, and thus fell over.
You can't just take hundreds of man-years of Ph.D level work and dump it into the public domain.
I'm proud of him. What a great move he made.
So, what have we learned?
External dependencies are unsustainable;
JavaScript is unmaintainable;
Dozens of mainstream projects relying on a trivial bit of string padding code from an external JavaScript dependency is unconscionable.
I know this is not a popular stance, but this is why I always include all npm package dependencies in my application's git repository. If the package goes away, it's not a problem.
What could possibly go wrong?
This is just hilarious. What a shit-show, from the bullshit legal threat to the developer's hissy fit to the dependence on an apparently obscure package to implement (lol) left-padding.
Reminds me of someone I knew who was wringing his hands for a few days over which license to use for his super-awesome R function library. He asked me for advice, and I told him that it's ~30 lines of syntactic boiler-plate code so get over yourself and just put it in public domain so that the two people who ever use it can do so easily. But of course, he had to deeply consider the political implications of which flavor of "freedom" he would support.
"They were pure niggers." – Noam Chomsky
Don't know who they are or what they do, but fuck them and boycott whatever it is they sell.
Those who do not learn from commit history are doomed to regress it.
Just kidding, I have no problem with Javascript. By the way, that summary was confusing as hell.
One of the beauties of JS is that it's easy to provide your own functions, so as long as it's only left-pad missing, you could provide your own, right?
function left_pad(str, min_length, pad_char){
if(str.length min_length){
str = Array(min_length - str.length).join(pad_char) + str;
}
return str;
}
(note, I did not do any sanity/error checking in the function, so do not simply copy/paste, please fill it out if you intend to use it)
Everything is one letter away of meaning something in some language.
Roll your own libraries. No outside dependencies, and you'll probably leave out a lot of the cruft that is there "because."
"Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
Also, when was it made, originally?
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
Why would you ever build an app that assumed the perpetual existence AND availability of remote, opensource, Internet-hosted code?
the Kik application referenced has iOS, Android, and Windows Phone implementations all rely on node.js for both overt client side as well as server side processing.
Good people go to bed earlier.
Installed Babel. Strange Error messages and babel borked and unusable. Same problem popping up all over the interweb.
Sad. Wanted to start with classes in JS. :-(
Does anyone know when this gets fixed and what the plan is?
We suffer more in our imagination than in reality. - Seneca
But it illustrates a key lesson for open source. So much of the project is not just code, it's governance and culture and how to make smart decisions under pressure in a way that respects the people involved. Node failed to do that, the guy pulled his code, they learned a harsh lesson. Let's see what the post-mortem letter is like to see if they really learned what they needed to.
Kik is one letter short of being kike (a racist name for a Jewish person). How brilliant.
It's also one letter short of being "kick" (an racist action to be performed on a Jewish person). How brilliant.
I've always thought this interconnected pile of stuff, linking across a bunch of domains was lazy, dangerous, and likely to be very brittle.
Sorry, but the interwebs have shown me I can't afford to trust arbitrary code from all over the place, which can change at a moments notice, and which I know nothing about.
If you've created an infrastructure where tons of stuff breaks because some asshole corporation forces some guy to say "fuck you, you can't have my code", you have a terrible mess. What happens if someone adds some malicious code?
What I find really odd is they've over-ruled him and said "no, you can't un-publish your own stuff, we own it". So, what, they've decided his stuff was too important to still be his own? So he got fucked because of corporate assholes only to have his copyright infringed?
Jenga tower indeed, it sounds like the state of the art is a bunch of brittle dependencies controlled by a few places, and subject to causing a shit top of things to happen when someone makes a change.
This reminds me of a company I worked at which had a universal build system ... everything build from scratch every day and wouldn't build if any of its dependencies didn't build. So when some guy broke a components 3 components upstream, nobody could get anything compiled because the system was too stupid to go with the last known good ... and hundreds of developers sat around all day going "but, what do you mean we can't do anything because some guy checked in shit code".
Wow, just wow.
Steaming Heaps of Innovative Technology.
Lost at C:>. Found at C.
My big question is, Is Rust vulnerable to the same kind of problem?
Rust has Cargo which is similar to NPM.
If Cargo and Rust are vulnerable to this kind of problem, why wasn't it caught earlier? Isn't Rust supposed to be an ultra-safe and ultra-secure programming language?
This is what can happen when you use Other People's Code.
The more a project says "requires" something other than the language it's written in, you're making the risks worse.
The better the programmer, the less OPC they will use.
The best programmers are known by the announcement in their projects that their code was black box and has no external project dependencies. If you must use OPC, you should be looking hard for such a statement.
Of course, today, most "programmers" aren't deserving of the name in the first place. Glorified scriptkiddies at best.
Damn bossy underwear!!!
For all those who had their modules broken, get a class action lawsuit and sue Kik.
They want to use their landsharks to be bullies? Well, bully them right back!
Does anyone know when this gets fixed and what the plan is?
You could try to read the article.
To fix the internet, Laurie Voss, CTO and cofounder of NPM, took the "unprecedented" step of restoring the unpublished left-pad 0.0.3 that apps required. Normally, when a particular version is unpublished, it's gone and cannot be restored. Now NPM has forcibly resurrected that particular version to keep everyone's stuff building and running as expected.
And your nick is one character away from including the word "reamer", and two letters away from being "screamer".
It is simply not possible to exclude every word which is one or two letters away from offending some random idiot who thinks being one letter away is the same thing.
People can give something a name which is totally innocuous to them and which someone else is going to get into a hissy fit about.
So, what's more likely, he had no idea some random guy on the interwebs would make the comparison to a racial slur, or he used a word which sounded cool to him?
Lost at C:>. Found at C.
If you write *anything* that assumes the perpetual existence of a linked library from somewhere on the internet, you deserve what you get.
Most kids these days don't remember a time where internet access required a dial-up modem -- or it wasn't a 100% certainty it would be available.
If telephones are outlawed, then only outlaws will have telephones.
Nonsense. Laughable, even. Quality programmers can build anything. If they're wise, they will.
I guess you never worked with code then, eh? It is not about whether they can or cannot - is about the resources involved. Writing and testing a production-level software library is not a trivial task. It takes time.
Again, this does not apply to string padding, which is usually resolved on a couple lines of code on the language of your choice...
It's fucking unbelievable how much trouble JavaScript has caused for so many people.
Let's ignore how fundamentally broken it is, as a programming language, in almost every respect. That includes its fucking awful type system, its total lack of real OO (sorry, prototypes are complete shit), its ultra shitty standard library (which is why NPM and this problem exist in the first place), and similar problems.
JavaScript has allowed too many unskilled cranks to shit out way too much broken code. It was one thing when they did it client-side, where it was isolated. Now it's being done server-side, and it's a motherfucking disaster!
Worse, JavaScript has enabled the web advertising industry. JavaScript makes it trivial for them to track your every move online. If you don't want to fall victim to it, then you have to waste your time disabling it everywhere by default, and selectively enabling it where you need it.
JavaScript needs to go.
If you really need to use a scripting language server-side, use Lua, or Python, or even goddamn Tcl. All three of them are better than JavaScript in every way.
That's the most amatuerish piece of crap code I've seen in a while. Shame
on the JS people for tolerating such an implementation! It's about the most
inefficient solution you could contrive without simulated annealing.
This is a new interview question: "write left_pad() for me." If I get shit like
the code in dispute, NO JOB!!
It also prevents versionitis: where the package didn't go away, but was changed in such a way that it no longer works the way it used to.
Your stance may not be "popular", but it is 100% correct — and very smart.
We can still be hosed by irresponsible changes in the underlying language, and/or irresponsible changes in the underlying OS (if there is one... not always the case.)
Python and Perl have both outright broken older code that was designed to the language spec. Windows and OS X have both broken APIs that were used properly to spec. I'm sure the lists are much, much longer than that -- those are just the cases I'm personally aware of.
And we should take very seriously the idiot "X has been deprecated" warnings in a language or an OS API, because that means some lame-ass bonehead is thinking about doing that very thing to us. Javascript, c libraries, OS APIs...
I've fallen off your lawn, and I can't get up.
And you just publicly debased yourself by betraying any knowledge of "social" media.
A wise programmer also knows that you do not need to write a new libc because you are starting a new project. Wisdom is knowing that well tested, debugged code is quite likely going to be better than the newly reinvented wheel. That isn't to say he couldn't reinvent said wheel, but the time would be far more productively spent writing the actual project.
In short, you've described not invented here syndrome.
What the f**k is that lame kik app BTW??!! Yet Another Chat App??!
I guess people should start naming open source projects using random strings...
This is so stupid...
Look at me mama! This name! "KIK" i'm so creative!!!!
And your nick is one character away from including the word "reamer", and two letters away from being "screamer".
I got the nickname "Reamer the Screamer" in the engineering class at junior high school. My model car required a larger opening to fit the CO2 cartridge ("reamer") and it whistled down the string ("screamer"). I never liked that nickname as it fit the reputations of several girls quite well.
Wise people and quality programmers don't waste their time reimplementing functionality that has been written, improved, reviewed, and tested by a large number of people.
Nah, this is a fallacious way of approaching software development. You only need to learn what you only need to learn.
1) You're never going to master it all or even most of it.
2) What you do write isn't going to be as good as what someone spends a large majority of their time perfecting.
3) Resource constraints.
So while you're hammering away building everything from scratch, someone else will have a finished product. So not that wise, eh?
Ironically, it may be Kik's attorneys that acted improperly here. Trademark law allows similar names to be reused for different fields of use, so long as there is not a possibility of confusion/loss of market. Here I seriously doubt that anyone would confuse a Javascript module with a chat application. So quite possibly this was a bogus assertion in the first place, which ended up causing serious damage to a lot of folks.
I follow the development of Signal (https://github.com/WhisperSystems/Signal-Android) and its fork SMSSecure (https://github.com/SMSSecure/SMSSecure). They had a similar problem too, where the developer of material-dialogs decided to remove all old versions of his library after an interface change, resulting in breaking builds (https://github.com/WhisperSystems/Signal-Android/issues/4138). Both projects solved it initially by hosting their own version, and then remove the library completely.
That's why I host all my dependencies myself, per project and on all my projects.
Special font? Self-hosted.
jQuery? Self-hosted.
CSS Toolkit? Self-hosted.
Massive monster webapp lib (like Googles Polymer)? Download, adjust URLs, move to project subdir, host yourself.
Some other lib? Downloaded, stashed and hosted in the project too.
Dependencies are fine, but should always have them under your control.
I'd do the same with binary code.
This is, btw., one of the big problems with many Linux programms.
We suffer more in our imagination than in reality. - Seneca
Thou shalt always mirror your dependencies. Never assume that everything will always be available. That's continuous integration 101.
Second paradigm: mirror even your dependencies source code, if you can.
Stupidity is the root of all evil.
and Azer's unpublished code, along with desiring it not be hosted @NPM on github.
uh oh.
Everybody is taking the lazy route and/or trying to save bandwidth by loading their libraries from foreign sources. Node.js , Google Hosted Libraries(jquery, angular...)
If you make yourself dependent on third parties, you'll get fucked.
Quit being such a nagger.
He could have updated the module to delete and format the contents of every machine it was run on. I'm kind of surprised this hasn't happened before considering how many modern environments have such slapdash dependency systems. At the very least a packaging system should by default generate and use a lock file which contains a version and a hash of the dependent package. Npm supports a "shrinkwrap" flag but it should be the default.
I'm pretty randomly spamming the keyboard will get you an actual word in Welsh.
I work with lots of code. I include 3rd party components. However, I am not dependent upon any external sources for that third party code. IOW, you can have dependencies, just make sure you own the servicing of said dependencies internally, and not some unknown 3rd party. It's even better if you have the source for all third party dependencies and build the artifacts yourself. Yes, this takes a little more time, but it significantly lowers the potential problems you may encounter later, plus your codebase will be guaranteed repeatable builds, which cannot be stated for the lazy approach.
The cesspool just got a check and balance.
Yes, this takes a little more time, but it significantly lowers the potential problems you may encounter later, plus your codebase will be guaranteed repeatable builds, which cannot be stated for the lazy approach.
Much agreed. And sadly, this is not the node.js way...
WTF!
The coder did what was totally normal for a coder. Just enforce is moral rights. The stuff every authors should defend because that is why our income are that high compared to manual laborers!
Everyone out of JS told them that there was a problem with DEPENDENCY hell.
They said no. The problem is unsound technical practices where basically the assumption that all will go well is made to build everything.
The removal of a module was expectable like a lot of other things still bound to happen. But JS community did not cared to protect for such a small potential problem.
The problem is never someone doing what he is entitled to. It is people using code without understanding licenses and taking stupid risks.
It's fucking unbelievable how much trouble plumbing has caused for so many people.
Let's ignore how fundamentally broken it is, as a technology, in almost every respect. That includes its fucking awful historical association with toxic lead, its total lack of real modularity (sorry, reservoirs are complete shit), its ultra shitty set of mutually incompatible pipe sizes, materials, and connections (which is this problem exist in the first place), and similar problems.
Plumbing has allowed too many unskilled cranks to shit out way too many leaky pipes. It was one thing when they did it in Ancient Rome, where it was isolated to a fountain in the town square. Now it's being done in people's houses, and it's a motherfucking disaster!
Worse, plumbing has enabled the for-profit water supply industry. Plumbing makes it trivial for them to track every drop of water you use. If you don't want to fall victim to it, then you have to waste your time turning off a bunch of valves, and digging wells everywhere.
Plumbing needs to go.
If you really need to use a water delivery technology, use a river, or a pond, or even a goddamn barrel . All three of them are better than plumbing in every way.
Serious question, guys. Why do people use NPM or other dependency managers in the first place? Each and every language seems to have their own different dependency manager with its own quirks and problems, such as the one described in TFA. In my company, we just use git with submodules for dependencies. This allows us to easily pull in dependencies regardless of programming language used, or which online git repository their in,our own or open source. Since we're already using git to manage our own source code, this just made perfect sense from day-one, using a single tool to manage all of the source code. So, seriously, what's so great about fragmenting to multiple tools that all do the same job, only for different programming languages, when there is already a centralized tool that we're already using (git) along with these other tools (NPM or otherwise)? Why not just drop these other tools entirely, and avoid the issues mentioned?
Your comment is a superb specimen of the Hipster False Switcheroo fallacy!
It has all of the main characteristics.
Firstly, it involves a topic that hipsters hold dear: JavaScript.
Secondly, you've taken what was a sane, reasonable argument, and switched the words around to turn it into a failed, off-topic, irrelevant "argument" that's factually wrong.
Thirdly, you're oblivious to how your "argument" is failed, off-topic, and irrelevant.
Fourthly, you got wrongfully upmodded by some other hipster fool here.
What a fine specimen, indeed! It's almost like you went through a checklist to finely craft it.
Wait, that's a newly-discovered fifth characteristic!
Fifthly, you've put more effort into creating your failed, off-topic, and irrelevant "argument" than you've put into the artisanal bread you attempt to bake.
Wait, what? A package manager has a CTO? Why is there a SPF in the Javascript world? In the Java world, you would just add an additional repository to your Maven pom.xml and move on. (Or even better, you would already have had your own Artifactory listed, with all your required libraries mirrored there.)
On one end of the scale you've got "not invented here syndrome" and on the other end you have "cargo cult programming". The average person tends to be one of the extremes.
Just one more reason to hate dumbshit "hip" project names instead of actual descriptive names.
Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
Number one rule of programming is you never rely on external libraries being hosted somewhere else. You can't rely on those libraries being available for the lifetime of the project. It is the same using for example Maven to rely on external libraries. This is something you should never do. Always have the libraries local.
Depends on your definition of "mastery". A good programmer with 6 months of experience is on average just as good as someone with 10+ years of experience. The reason for this is the average programmer will never reach mastery no matter how much time they spend. Most people don't get 10 years of experience, they repeat the first year of experience 10 times.
Stuff you don't want to reinvent is security, datetime, or fundamental libraries. And never use any code that you don't understand how it works. Not at the operation level, but characteristics and edge cases. I can't tell you how many times I've seen people unable to debug their issues because of some complex interaction between some "free library" that is popular. Rule of thumb. If someone contrives a hypothetical case, you should be able to tell them how your code will work. If you can't answer the question, then you didn't program, you threw code at a wall and it passed some crappy unit tests.
Wise people and quality programmers don't waste their time reimplementing functionality that has been written, improved, reviewed, and tested by a large number of people.
Yes, yes. Wasting time programming and learning ones craft is sooo tedious and a total waste of time dude. Hiding your cell-phone in ones tiny lap and playing Clash of Clans 4 hours a day at work is FAR MOAR important. True story by the way, and for more than one script-kiddie I've been forced to work with. And the real laugh-riot is they were using company phones to do it.
Apparently any 17 year old kid with a github account is a far better programmer than these guys as well. Because they are desperate to not "re-invent the wheel." Too bad they drive around in big-wheels with square tires.
Try writing an application that handles all the common image file formats, (at least JPEG, GIF, PNG and BMP) and get back to us.
For all intensive purposes, "whom" is no longer a word. That begs the question, "who cares"?
> Most people don't get 10 years of experience, they
> repeat the first year of experience 10 times.
Some do. Most? Bullshit.
Kik is one letter short of being kike (a racist name for a Jewish person). How brilliant.
It's pronounced "kick" (which is also one letter away). This is how companies create trademarks these days. They take a normal, everyday word, misspell it, then trademark it. Let's see.. "SyFy", "Cuore", "Stihl" (an original!), "Lite", "Lync", "Google" even (the spelling of the big number is "googol").
"Somebody has to do something. It's just incredibly pathetic it has to be us."
--- Jerry Garcia
Go fly a kite.
Nah, if it's random, there's a chance you might get two vowels in a single word.
Depends on your definition of "mastery". A good programmer with 6 months of experience is on average just as good as someone with 10+ years of experience.
A good programmer with 6 months of experience is on average just as good as someone with 10+ years of experience.
A good programmer with 6 months of experience is on average just as good as someone with 10+ years of experience.
A good programmer with 6 months of experience is on average just as good as someone with 10+ years of experience.
And that, right there, is why academia is a complete fantasy land.
the laziness of dev who can't write the one-liner that should be left-pad or the horrible implementation that everyone seems to have settled on.
It's one thing to say if I need to use SSL encryption, or some other sure-to-have-been-developed-already function, I should use a library.
But it seems more and more that library developers suck at the fundamentals of API development, and will indeed import some whiz-bango 3rd, 4th, and 5th-party libraries, each for one tiny function. And the extra libraries will always called something like sheboyganMarmoset.
The same holds for applications and package managers. How many RPMs in RHEL carry a dependency on ModemManager, despite the fact the virtually no one still uses modems? Installing one RPM often carries 50 cascaded dependencies on far-flung libraries or applications.
It's fucking unbelievable how much trouble your mother has caused for so many people.
Let's ignore how fundamentally broken it is, as a mother, in almost every respect. That includes its fucking awful tit system, its total lack of real OO (sorry, implants are complete shit), its ultra shitty standard library (which is why she can't read in the first place), and similar problems.
your mother has allowed too many unskilled cranks to shit out way too much broken fuck. It was one thing when they did it client-side, where it was isolated. Now it's being done mother-side, and it's a mother fucking disaster!
Worse, your mother has enabled the web advertising industry. your mother makes it trivial for them to track your every move online. If you don't want to fall victim to it, then you have to waste your time disabling it everywhere by default, and selectively enabling it where you need it.
your mother needs to go.
If you really need to use a mother, use Lua, or Python, or even goddamn Tcl. All three of them are better than your mother in every way.
I make the analogy between the software dependency tree and the public park. Hundreds of people use it, and walk their dogs, and clean up after them, but it only takes one dog owner who doesn't to stop you and your kids from rolling around in the grass. Unless your dependency tree is locked down completely, you're just waiting for the one piece of s**t to ruin it. And laughing at node while using maven or APT or any other public repo system is hypocrisy.
....applications cried out in pain and were suddenly silenced......
Just trying to make you happy.... ;)
FYI, to give an idea of how long that would take, I did that a while ago for GIF, and between understanding the documentation and writing the code and debugging, it took 40 hours (my original estimate was ~8 hours ha!). So extrapolating based on that, the time required for the total collection would be 160 hours, pad it up to 200 hours to account for complications. Given the relative stability of the image libraries, it's unlikely to be worth re-implementing them.
"First they came for the slanderers and i said nothing."
The initial programmer didn't respond professionally; neither did NPM.
This was a cease-and-desist letter over a trademark. The programmer's public statement about the guy being a patent lawyer, even if it's true, it's irrelevant.
All they had to do was either (1) have a lawyer send back a letter saying there was no likelihood of confusion and nobody in their right mind was going to think a node module was an instant messaging app and the like, or (2) change the name--did they even have a lawyer call back *explain* the problem with a name change and ask the Trademark holder to let them mark it as deprecated for a year? Or (if they cannot afford an hour or three from a lawyer) do it themselves?
And when withdrawing his packages, the programmer should have been responsible to the open source community and, again, marked packages as deprecated for a period of time before withdrawing them. This was just irresponsible.
I just did the deep dive on NodeJS, Javascript libraries, and build tools in general.... my thoughts are "run.. run away". It reminds me of the early days of Smalltalk, except less organized and completely without discipline. And that's stating it in nice terms. Unfortunately, for some components I need, I'll be using some of these tools because I'm not rewriting them from scratch, although I am attempting to influence some library maintainers to incorporate some bug fixes that would help me. I'd rather have that than me maintaining those fixes.
The cesspool just got a check and balance.
go gadget open sores.
it's unlikely to be worth re-implementing them
Very true.
I am TheRaven on Soylent News
It's fucking unbelievable how much trouble people interacting with other people on the internet has caused for so many people.
Let's ignore how fundamentally broken it is, as a technology, in almost every respect. That includes its fucking awful historical association with trolls, its total lack of real insight (sorry, Anonymous' are opinions complete shit), its ultra shitty set of mutually incompatible ideas, memes, and non sequitur invective (WHICH IS THIS SHOUT SHOUTY SHO), and similar problems.
Typing stuff on the Internet has allowed too many unskilled cranks to shit out way too many words. It was one thing when they did it in Ancient Rome, Cicero or Julius Caesar #vinividivici. Awesome. Now it's being done in people's basements, and it's a motherfucking disaster!
Worse, communication has enabled the for-profit media industry. Google makes it trivial for them to track every word you type. If you don't want to fall victim to it, then you have to use a VPN or anonymous mode or TOR or something, I don't know who cares? Just give me my groupon, OK?
Forums need to go.
If you really need to use an idea delivery technology, use a letter, or a parchment, or even a goddamn cave painting . All three of them are better than Internet in every way.
Oh, and most existing image libraries have been reasonably well fuzz-tested recently and had hundreds of security holes fixed, because parsing binary formats in C without introducing exploits turns out to be hard.
If you want to avoid security holes you need to have the security mindset from the beginning, thinking about how to avoid security holes. You can't 'reasonably well fuzz-test' a project like that......if you've fixed 100 security holes, then most likely there were more than 100 and you've missed some. Having worked with the source code for libjpeg and libpng, I am certain I can write more secure code if that is the goal. I would probably double the time estimate, though.
Incidentally, glibc is another library that worries me for security because of its ubiquitous nature.
"First they came for the slanderers and i said nothing."
It doesn't really hurt much to make javascript even more broken. I hardly thought it was even possible. There is no proper standard library, the language is a mess. There is no proper type system (there are barely a set of useful types), lots of totally random problems with scoping, there are no proper object oriented features, and it relies on a mashup of terrible technologies, all badly implemented and totally inconsistent to be used for anything.
I look forward to being able to compile sensible languages to web assembly, so that this horror can die a much desired death.
Incidentally, java seems to be plagued by a similar dependency rash. A typical java project may have over 100 libraries, making it completely unmaintainable. Nobody without a huge team, can test, check security issues, and validate such a huge collection of components. Simply not viable for production quality deployment.
Ya totally just cemented owning that laughable nickname by your own compete lack of understanding and usage of it. Good job! :)
Ya totally just cemented owning that laughable nickname by your own compete lack of understanding and usage of it.
I understand perfectly what it meant. But people who give me a negative nickname become uncomfortable when I take ownership of the nickname, turn it around and wear it as a badge of honor. I used to be called "Tortuga" (Spanish for turtle) when I worked in a restaurant. I got removed from working the line as captain after a month because I worked the Latinos too hard and too fast.
Reliance on S3 and the inherent flakiness therein meant running an npm install was rolling the dice as to whether or not your modules would actually download and install.
Anybody who wasn't playing amateur hour already mirrored or had an npm cache in place.
Yeah, except Stihl was the founder's name; it's also a German company so no relation to the English word.
"resolved IN a couple lines of code IN the language of your choice..."
Fucking American idiot. Those two letter prepositions are just SO difficult to remember, aren't they...
It's absolutely astonishing to me that anyone would deploy JavaScript that depends on the stability of an external library outside of their control.
I had no idea a developer would even consider doing this.
Grabbing a local copy is so easy to do, and the extra disk space/bandwidth is so insignificant -- and the payoff is so high because it eliminates a likely source of instability. What possible justification is there for not doing it?
What is the future of the profession of web development, given that the quality of the developers is obviously so low?
Yeah, except Stihl was the founder's name; it's also a German company so no relation to the English word.
Can't be German. It's too short. :)
I remember the controversy about the WingDings TrueType font that Microsoft made. It had a bunch of random little pictograms, and as this was long before Unicode support was common, it had the pictures mapped to random characters.
Someone noticed that if you typed "NYC" and then changed the font to WingDings the result was a skull-and-crossbones, a Star of David, and a hand making a thumbs-up gesture. So obviously, this was a shorthand way of saying: death to Jews in New York City is a good thing. And obviously, this was done on purpose by some black-hearted person at Microsoft.
http://www.snopes.com/rumors/wingdings.asp
The moral of the story: no matter what you do, someone will find a way to get upset by it.
lf(1): it's like ls(1) but sorts filenames by extension, tersely
The apps dev should also sue this site. Some folks might not be able to distinct between yet another chat app and clothing shop.
...use external libraries so you're not re-inventing the wheel but keep your own copy of those libraries. So, you end up with your own unique island of code, basically cut-and-paste writ large?
I'd say the person who needs to learn a lesson is the author, not Node.
The best thing about this?
1. It's a shitty algorithm because it does repeated string concatenation. It runs in fucking exponential time.
2. In any reasonable fucking language, this is printf("%Ns", str)
It's a shitty ecosystem.
Would be if the messaging app that had it yanked down used his code and that was rendered unusable now
no matter how good it is, it is human nature always wants to make things better
Let me be upfront about my biases first: Node is trying to a solve a problem that really doesn't need to exist: To write everything in one language. It's amazing how much demand there is for it. It's clear that the core libraries and language just can't keep up with developer demands and the number of libraries to fill those demands has exploded out of control. Npm is packed to the gills with vanity projects that are made as a resume item for developers. Sure, there's plenty of these in other ecosystems, but it's amazing what has come to depend on them.
The Node ecosystem is amazingly fragile and it's going to get worse and worse. I fully expect there will be lots of work in the future unwinding the messes people made with it and replacing it with a more appropriate platform.
"And thousands of projects including Node and Babel relied on it."
So you're saying the tower of Babel fell?
In one fell swoop, this person did exactly what free software is trying to prevent: a single overpowered entity who decides to leave and take his ball home with him, thus ruining it for everyone else. Power to the People? Only if our benevolent dictator also gets his way.
It's fucking unbelievable how much trouble I have caused for so many people.
Let's ignore how fundamentally broken I am, as a human, in almost every respect. That includes my fucking awful humor system, my total lack of real life (sorry, facebook posts are complete shit), my ultra shitty set of unforgiven excuses and misconceptions (which is the cause of all this in the first place), and similar problems.
I have allowed too many unskilled cranks to shit out way too much from my broken life. It was one thing when I did it to myself, where it was isolated. Now it's being done to everybody, and it's a motherfucking disaster!
Worse, I have enabled the crazy dudes. I make it trivial for them to call you and keep you on the line. If you don't want to fall victim to it, then you have to waste your time blocking your calls everywhere by default, and selectively enabling the calls where you need it.
I need to go.
If you really need me, use Trump, or Francisco, or even goddamn Mickey. All three of them are better than me in every way.
Worse then that, because you probably didn't check for security issues and all the corner cases that other libraries developed over 2+ decades have dealt with.
See here. No one should be using this anyway.
Worse then that, because you probably didn't check for security issues and all the corner cases that other libraries developed over 2+ decades have dealt with.
No, I would take an approach similar to formal verification.
"First they came for the slanderers and i said nothing."
Am I the only one left who absolutely despises Node.js?
Node.js code looks like unmaintainable garbage, like the worst Perl code from the 1990's.
Another developer in my company brought in a dependency upon Node.js recently, and I'm not happy about it. I won't work on the code.
Software is not supposed to be write-once, throw away. Software is meant to be a communication to the next computer programmer, of unknown skill level, of your intentions and the limitations of what you have done. Software always has to be modified, so it has to be readable. If you happen to live in a Western nation, reading code should read like reading a novel and then editing a novel in your language. It should not be a ridiculous mess of punctuation marks, either your code or a novel.
The situation with this package manager is indicative of a don't give a shit attitute, gross inexperience, or simply people who think that they're clever because they have mastered a shit language/environment/syntax/whatever and have cobbled together a shit ecosystem around it.
So you don't use a languages standard library then?
Dumbass
It's funnier seeing apk and slashdot users make you eat your words amicusnycl https://slashdot.org/comments.... Apk gives users more speed, security, reliability and anonymity. What have you done better? Nothing! Only mere irrelevant ramblings from an insignificant nobody in yourself is all anyone sees from you. I see nobody speak well of work you do. They do of apk in that link above. I found it hilarious in your little failed 'campaign' to try stop apk posting that you lose there too. Apk's posting as much as ever and you are sitting here with egg on your face. Hahahahahaha! HOW EMBARASSING FOR YOU amicusnycl in you shooting your big mouth off to have it slapped shut by apk.
How does NPM have the right to restore the module?
Something stinks. Is that you NPM? Bowing to lawyers? How weak.
If developers are working under a license where they can withdraw their source, there is risk to anyone using their code downstream.
She was like chocolate when she drank... semi-sweet at first and then increasingly bitter.
Wait, I implemented a new libc when I started a project, because the existing one was too large. Not entirely from scratch though, there was a lot of copying of our earlier code followed by a lot of slash and burn. Seriously, newlib was too big and had incompatible design choices. Not that we use a lot of libc, but you do need a small handful of basic functions.
Since long I have avoided US-based software and its absurd non-export list. What if I know someone from Cuba and want to exchange some ideas? Well, the best thing is to avoid US repos entirely, I thought.
Just now I discovered another nastiness in the US: lawyers.
Cross the street when you see one. Just to be on the safe side...
Unless the functionality doesn't work or does not meet your requirements. It's called programming. If the only thing you've ever done is call libraries but are unable to write code similar to what a library routine does, then that's not really programming.
Remember, actual human beings with less than divine powers wrote those libraries! I may be a good rule of thumb or guideline for novice programmers to not reinvent the wheel but it should not be an absolute taboo for all programmers of all skill levels and all projects. If there is no wheel that you can find or afford for your project then by necessity you must create one; it's not even reinventing the wheel but instead reimplementing to match the requirements.
Bignum math libraries may be a good example as mentioned earlier. You may not be able to find one that is affordable and not burdened with some open source license that your legal team feels is safe to use (you can not just copy GPL code willy nilly and stick into your proprietary product). They often come with cryptographic libraries but may be too large for your actual system or have runtime requirements that are unacceptible (need 1KB stack or more). It is reasonably common to find optimized variants of such libraries making use of inline assembler for key routines. You will also find a handful of such libraries and need to be able to decide which one is appropriate (ie, read the source code, run tests, do measurements). Libraries are very often overly general purpose and bloated with unnecessary features.
I've implemented some of all those categories. Security because there's rarely a security library that does just what you want, or because the library you do have is too slow or too large (seriously there are some very poorly written SHA algorithms in professional libraries). Datetime because the system had a bad library that we had to replace and I would not just steal code from GPL and break their license, BSD was a guideline to start but had it's own issues because of historical system issues. And fundamental libraries because we needed much much smaller versions of things like memmove, strtoul, and the like that were optimized for severe space requirements. Sometimes you have a requirement of "make it boot in less than half a second" and then you find you can achieve that by optimizing the libraries. Sometimes a lot of commercial stuff comes with really bad libraries; there are network stacks or operating systems that decide to stick in their own basic C libraries for some stuff that are of very dubious quality.
People don't have to do this, but they should at least know how if they ever need to and should be able to recognize when it is needed. Like when your JavaScript library to pad out strings vanishes overnight.
(for security I should mention that we vetted all of this and the changes and fixes to the original commercial library, we weren't just cocky people thinking we knew better than the experts)
The code is presumably open source, meaning that NPM can still distribute whatever version they still have. Also, the trademark dispute regards a package named "kik", and not the left fill script the story pertains to.
At this point, if he isn't creating his own language, he's a hypocrite.
A bunch of faggots who use it anyway
Yeah, the article says "gone and can not be restored" when it's clearly "will not be restored" since they clearly CAN do it. Logic fail.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Ah, found a couple super-sensitive, cut-and-paste, trail-and-error Clash of Clan players.
Wipe the tears from your face child, you'll get moar gems someday. At work I suspect.
WTF is behind this JavaScript everywhere bit? Who is pushing this and why?
So obviously, this was a shorthand way of saying: death to Jews in New York City is a good thing.
It depends on who you ask. Some said that it meant "Jews did it".
Yet another tale of Citizens-United-type bullying. Freedom = #BernieSanders
Yeah, the article says "gone and can not be restored" when it's clearly "will not be restored" since they clearly CAN do it. Logic fail.
It's a common policy statement to avoid being inundated with requests to recover deleted files. The website did have backups and was able to recover that deleted file.
It's a common policy statement to avoid being inundated with requests to recover deleted files. The website did have backups and was able to recover that deleted file.
Yep. They negotiated once, now they will have to do it again next time or be called liars. What dumbasses. Almost as big dumbasses as the people linking external scripts
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
If you aren't starting from a computer system with no software, not even a BIOS, you are a hypocrite.