undefined | Better HN

0 pointsreificator8y ago0 comments

The left pad thing could have happened somewhere else, true enough.

But it was far more likely to happen in Node than anywhere else, for the following two reasons:

1.) Javascript has a tiny stdlib relative to other languages that are also used for "real work". I make that distinction just to rule out LOLCode/etc....

2.) NPM makes it so damn easy to add dependencies, both for finished products as well as component packages themselves.

#2 came about because of #1, and is honestly the only way that Node could have gained traction. So while it's NPM's fault you can't really blame them for making that choice.

A month or two ago I wanted to add a single NPM dependency to a project at work. I knew it built on top of other packages, but when I installed it I ended up somewhere between 690 and 700 dependencies. From typing `npm install {one-specific-package}`.

0 comments

3 comments · 1 top-level

thehardsphere8y ago· 2 in thread

More crucially to your point 2, NPM allowed people to remove packages once they've been released, and for others to release packages with the identical name as a previously-existing package.

I'm not aware of any other package managers that exhibit this rather dangerous behavior.

reificatorOP8y ago

Yeah, I did leave that bit out, because that's an implementation detail that I believe they have since resolved. It was a massive mistake, but one that could have been avoided and has since been patched.

#1 and #2 are foundational to providing Javascript on the server. You could do without #2, but because of #1 it means you'll have a harder time attracting and maintaining a userbase if you don't do it that way.

This leaves you vulnerable in the long run IMO.

kbenson8y ago

> but one that could have been avoided and has since been patched.

It would be really nice if many newer languages didn't act like they existed in a vacuum and no prior art existed. Package management was by no means new at the point NPM was being developed, and if they didn't have enough people with experience with the nasty edge cases package managers in other languages had discovered, it would have been trivial to solicit advice from the architects of the package systems for other languages. If there's one thing software engineers love, it's talking about crazy situations where nobody considered this weird edge case and how they had to scramble to fix it (I know I do).

I think we've thankfully gotten to a spot where there's enough users and developers of modern programming languages with experience in other languages that we're seeing good cross-pollination at the language design level (e.g. async/await is quickly being adopted by many languages as either a core feature or through a library that's popular). That just doesn't seem to have happened yet with the architecture around the languages yet.

1 more reply

j / k navigate · click thread line to collapse