Slashdot Mirror
How One Dev Broke Node and Thousands of Projects In 11 Lines of JavaScript (theregister.co.uk)
An anonymous reader quotes an article written by Chris Williams for The Register: Programmers were left staring at broken builds and failed installations on Tuesday after someone toppled the Jenga tower of JavaScript. A couple of hours ago, Azer Koculu unpublished more than 250 of his modules from NPM, which is a popular package manager used by JavaScript projects to install dependencies. Koculu yanked his source code because, we're told, one of the modules was called Kik and that apparently attracted the attention of lawyers representing the instant-messaging app of the same name. According to Koculu, Kik's briefs told him to take down the module, he refused, so the lawyers went to NPM's admins claiming brand infringement. When NPM took Kik away from the developer, he was furious and unpublished all of his NPM-managed modules. 'This situation made me realize that NPM is someone's private land where corporate is more powerful than the people, and I do open source because Power To The People,' Koculu blogged. Unfortunately, one of those dependencies was left-pad. It pads out the lefthand-side of strings with zeroes or spaces. And thousands of projects including Node and Babel relied on it. With left-pad removed from NPM, these applications and widely used bits of open-source infrastructure were unable to obtain the dependency, and thus fell over.
See this is the exact scenario I've talked about before, typically when learning a new coding language. Dependancies and libraries are BAD. 1: because they remove the need to understand what's actually going on (premade functions for example) 2: because some asshat could yank them away and leave your project broken, then YOU have to figure out how to replace the dependencies. I get not reinventing the wheel. But you really need to pay attention to what your code is dependent on and remove that dependency if possible
So, what have we learned?
External dependencies are unsustainable;
JavaScript is unmaintainable;
Dozens of mainstream projects relying on a trivial bit of string padding code from an external JavaScript dependency is unconscionable.
Everything is one letter away of meaning something in some language.
Roll your own libraries. No outside dependencies, and you'll probably leave out a lot of the cruft that is there "because."
"Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
Yeah, because should only apply their ethics when you say it's okay. How vain of people to care about their personal ethics.
Those who do not learn from commit history are doomed to regress it.
Dependencies are unavoidable, specially on big projects - you are not expected to reinvent the wheel every time you code.
Now, having a dedicated library dependency for padding strings is a bit of a stretch though...
I've always thought this interconnected pile of stuff, linking across a bunch of domains was lazy, dangerous, and likely to be very brittle.
Sorry, but the interwebs have shown me I can't afford to trust arbitrary code from all over the place, which can change at a moments notice, and which I know nothing about.
If you've created an infrastructure where tons of stuff breaks because some asshole corporation forces some guy to say "fuck you, you can't have my code", you have a terrible mess. What happens if someone adds some malicious code?
What I find really odd is they've over-ruled him and said "no, you can't un-publish your own stuff, we own it". So, what, they've decided his stuff was too important to still be his own? So he got fucked because of corporate assholes only to have his copyright infringed?
Jenga tower indeed, it sounds like the state of the art is a bunch of brittle dependencies controlled by a few places, and subject to causing a shit top of things to happen when someone makes a change.
This reminds me of a company I worked at which had a universal build system ... everything build from scratch every day and wouldn't build if any of its dependencies didn't build. So when some guy broke a components 3 components upstream, nobody could get anything compiled because the system was too stupid to go with the last known good ... and hundreds of developers sat around all day going "but, what do you mean we can't do anything because some guy checked in shit code".
Wow, just wow.
Steaming Heaps of Innovative Technology.
Lost at C:>. Found at C.
Bullshit.
Dependencies and libraries are fine. If you want to use SSL encryption in your software you should try and re-implement it all, because while SSL libraries have been having security issues in the last few years there's almost zero chance you make something that doesn't have bigger ones. Multiply that by all the domain specific pieces of code you need.
Not having to understand what's actually going on is a feature not a problem.
What is retarded is using a dependency that exists out in the internet somewhere only, so that your code breaks if some random internet service disappears. As long as you have your own copy of the dependency it's fine. Some asshat can't yank them away since you have your own copy that doesn't magically stop working. Obviously you want the source code, or at the very least the source code escrowed somewhere that you obtain if the provider vanishes in the future.
This is what can happen when you use Other People's Code.
The more a project says "requires" something other than the language it's written in, you're making the risks worse.
The better the programmer, the less OPC they will use.
The best programmers are known by the announcement in their projects that their code was black box and has no external project dependencies. If you must use OPC, you should be looking hard for such a statement.
Of course, today, most "programmers" aren't deserving of the name in the first place. Glorified scriptkiddies at best.
Your left pad solution is 40% shorter and probably more efficient than the crap that was yanked from NPM.
The original code from NPM is more readable. Given the choice between compact code and readable code, I prefer readable code. Especially when it comes to my own code and I have to figure out what I wrote months or years later.
Dependencies are unavoidable, true, but it's a good practice to vet libraries before you include them and make sure they're worth the risk.
The risk with Open Source libraries is usually long term maintenance - will the project be maintained for the lifetime of my project? If the project is not maintained, is it something you're willing to take on and will the license and community let you fork it? If not, there's risk.
You also have the risk we see here - ideology trumping pragmatism (that's a nice way of saying the developer had a fit and took his toys away for reasons even he doesn't fully understand). In those cases, you also have the chance to fork, assuming the license/community allows it.
For trivial operations, such as left padding, it's almost never worth the risk to use a library unless it's part of the language's standard library. Sure, don't write your own FFT or ORM, but if you can code a function in a few minutes for a well defined problem, there's no reason to add an external dependency.
-Chris
The downstream impact of my dump is comparable to the downstream impact of 99% of github bullshit. That's the analogy.
Some things are not worth agonizing over, or "discretion is the better part of valor".
"They were pure niggers." – Noam Chomsky
Nonsense. Laughable, even. Quality programmers can build anything. If they're wise, they will.
I guess you never worked with code then, eh? It is not about whether they can or cannot - is about the resources involved. Writing and testing a production-level software library is not a trivial task. It takes time.
Again, this does not apply to string padding, which is usually resolved on a couple lines of code on the language of your choice...
It's fucking unbelievable how much trouble JavaScript has caused for so many people.
Let's ignore how fundamentally broken it is, as a programming language, in almost every respect. That includes its fucking awful type system, its total lack of real OO (sorry, prototypes are complete shit), its ultra shitty standard library (which is why NPM and this problem exist in the first place), and similar problems.
JavaScript has allowed too many unskilled cranks to shit out way too much broken code. It was one thing when they did it client-side, where it was isolated. Now it's being done server-side, and it's a motherfucking disaster!
Worse, JavaScript has enabled the web advertising industry. JavaScript makes it trivial for them to track your every move online. If you don't want to fall victim to it, then you have to waste your time disabling it everywhere by default, and selectively enabling it where you need it.
JavaScript needs to go.
If you really need to use a scripting language server-side, use Lua, or Python, or even goddamn Tcl. All three of them are better than JavaScript in every way.
True, but lawyers don't understand those words, they just know it's about computers so anything computer related called "kik" must die. They are like marauding barbarians, waving their clubs in the air and smashing anything that looks a bit like the magic rock they worship.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
Thou shalt always mirror your dependencies. Never assume that everything will always be available. That's continuous integration 101.
Second paradigm: mirror even your dependencies source code, if you can.
Stupidity is the root of all evil.
Yeah but that's not how they think.
They're not real lawyers. They're a "brand management" company that was hired over a game of golf. Their job is to prove that they are useful to their clients.
So they fire up a search engine and find every instance of the word 'kik', then send legal flavored nastygrams to everyone they can find. In some cases they harass poor developers working on js projects.
Then they put it all in a report and give it to their employer to 'prove' how much they protected their 'brand'
They don't give a wet fart about the consequences as there are effecively zero legal repercussions for this behavoir.
Your comment is a superb specimen of the Hipster False Switcheroo fallacy!
It has all of the main characteristics.
Firstly, it involves a topic that hipsters hold dear: JavaScript.
Secondly, you've taken what was a sane, reasonable argument, and switched the words around to turn it into a failed, off-topic, irrelevant "argument" that's factually wrong.
Thirdly, you're oblivious to how your "argument" is failed, off-topic, and irrelevant.
Fourthly, you got wrongfully upmodded by some other hipster fool here.
What a fine specimen, indeed! It's almost like you went through a checklist to finely craft it.
Wait, that's a newly-discovered fifth characteristic!
Fifthly, you've put more effort into creating your failed, off-topic, and irrelevant "argument" than you've put into the artisanal bread you attempt to bake.
It's fucking unbelievable how much trouble your mother has caused for so many people.
Let's ignore how fundamentally broken it is, as a mother, in almost every respect. That includes its fucking awful tit system, its total lack of real OO (sorry, implants are complete shit), its ultra shitty standard library (which is why she can't read in the first place), and similar problems.
your mother has allowed too many unskilled cranks to shit out way too much broken fuck. It was one thing when they did it client-side, where it was isolated. Now it's being done mother-side, and it's a mother fucking disaster!
Worse, your mother has enabled the web advertising industry. your mother makes it trivial for them to track your every move online. If you don't want to fall victim to it, then you have to waste your time disabling it everywhere by default, and selectively enabling it where you need it.
your mother needs to go.
If you really need to use a mother, use Lua, or Python, or even goddamn Tcl. All three of them are better than your mother in every way.
Missing from your list is that NPM didn't just pull the npm package, they reassigned it to a different user. Think about the security implications of that... it implies anyone can send a few intimidating emails, gain control of a major project, and then substitute with their own code/malware.
Assuming that's how it played out, it might be a good thing the developer threw a hissy fit: the resulting public fallout may or may not prompt NPM (and NuGet, Cargo, Docker, and so forth) to reconsider the trust problem they have created.
-1, Too Many Layers Of Abstraction