var isPositive = require('is-positive')
var isInteger = require('is-integer')


>web devs

>>53651843
> padLeft
> 11 lines

function padLeft(s,i,c) { if (i>s.length) { return String(c).repeat(i-s.length) + String(s); } else { return String(s); } }

wait why the fuck would un-publishing a package kill live code? Are people using Node.js seriously fucking using third-party hosting for eleven fucking lines of code?

More proof that the Node.js developer community is cancer.

OP, this isn't a Node thing; this is a general "private entity being in charge of package management" issue. There are lots of underlying issues of ownership and property here, and it sounds like you're some kind of incredibly childish troll, so either back up and take a more mature stab at this, or expect a shitty thread to unfold.

>>53653224
2 things:
1) short packages are stupid (see >>53653033), but they offer the supposed guarantee of code coverage. Anything longer than 0 lines of code has the potential to have a bug, so why not let the development community work on the same function and just agree to use that? The whole point of code is that we don't all need to reinvent the wheel.

2) NPM grabs all of the dependencies when you build and deploy. If someone un-publishes a package, then future builds and deployments stop working.

Things got especially hairy for some people today after NPM allowed people to claim ownership of the unpublished packages, which caused people to build and deploy with code they might not have intended. And dependency requirements in NPM use various prefixes (like "~" and "^") to indicate some flexibility in the versioning, which is fine if everyone is a perfect, altruistic actor, but people are idiots and release broken versions, and others will co-opt a project like padLeft and release who knows what update under a seemingly minor version bump.

NPM handled this situation badly, but the community is insistent that they're handling it in the least awful way. I still think this is a profoundly bad handling of it. They should have had a policy in place that deals with the un-publishing of a module that's highly used. It's honestly hard to understand how nobody foresaw this. They certainly shouldn't have given ownership of the removed modules to other people. That seems particularly ill-advised. But whatever.

>>53653382
>so why not let the development community work on the same function and just agree to use that?
you answered your own question
> NPM allowed people to claim ownership of the unpublished packages, which caused people to build and deploy with code they might not have intended

I break out in a cold sweat just thinking how much damage I could do by tweaking that one jquery.min.js that Google hosts and so few people want to bother self-hosting.

>>53653382

Your argument falls flat when you consider that majority of the modules on NPM are abandoned, unoptimized junk. It's just pretty bad programming to rely on dependencies for small things and I hope that this is a lesson to the Node community.
Also if you set NPM to fetch the "latest" version of any module (like many do), that's a security issue.

>>53651843
>it's better to add a whole new external dependency, rather than spend two minutes implementing "padLeft", "isPositiveInteger", or "isArray".
Reinvent wheel etc etc. Of course, a valid argument is that for something so small, it could be a one-liner, like >>53653224 showed.
If one can be confident that the written code can handle all possible edge-cases, then yes, might as well write (or copy paste) it directly.

>enjoying watching Node hipsters get BTFO
I certainly do.

>>53651843
why didn't kik just use a different name like "kik-im" or something?

you need a c!==null in there.
padLeft("penis",7,null) -> "nullnullpenis"

Still, you put more effort into it than the faggots that wrote most of the apps on NPM, since you didn't do something stupid like "require(length_of_string)"

>>53653382
>1) short packages are stupid (see >>53653033), but they offer the supposed guarantee of code coverage. Anything longer than 0 lines of code has the potential to have a bug, so why not let the development community work on the same function and just agree to use that? The whole point of code is that we don't all need to reinvent the wheel.
Okay, but that should be built in to the core project if the core is dependent on it anyway.

So I take it learning how to program with Node would be the bad baby way

>>53653709
how's this instead?

function padLeft(s,i,c) { return (c!==null && i>s.length ? String(c).repeat(i-s.length) : '') + String(s); }

>>53651843
Node: cancer for idiots.
http://widgetsandshit.com/teddziuba/2011/10/node-js-is-cancer.html

>>53653817
>Anything longer than 0 lines of code has the potential to have a bug
and now you know why "100 %code coverage" is a logical fallacy - how do you know your test doesn't have a bug?

Seriously, unit testing is "just OK", it's not a fucking religion.

>>53653533
>majority of the modules on NPM are abandoned, unoptimized junk
NPM itself is already running on an unoptimized junk language.

>>53653844
Whatever floats your boat senpai. I can't stop or cure everyone from cancer.

>>53653970
I was never really interested in it anyway. I'm not a programmer but even to a layman like me that sounds like a huge mistake to have something that everyone relies on and then have it yanked out

>>53653382
>this isn't a Node thing
It is absolutely a Node thing. Where else do you see people pulling dozens of ten-line packages into high-profile projects?

>>53654001
That's not the worst problem.

The problem is that there is no dependency resolution or depenadancy verasioning in NPM

>>53654001
> a huge mistake
lemmie tell you about something called 'jquery.min.js'. Can you guess how many websites bring this in but don't self-host it?

>>53654007
> where else
Doesn't Java have shitloads of things like J2EE and Enterprise Beans that have dozens of class files just for one class method?

>>53653685
Because trademark law is fucking stupid.

In theory, if a company fails to defend one of their trademarks, the trademark could be invalidated in court (as in, they sue someone for trademark infringement, but the court throws it out because they failed to defend the mark on previous occasions). Lawyers defend against this by switching off their brains and blindly firing cease-and-desists toward anything and everything that even slightly resembles their trademark.

I'm actually surprised that Kik even attempted to resolve the issue politely before bringing in the legal threats (that didn't happen until their second email).

>>53654086
are you just saying words for fun or do you actually mean something specific

>>53654086
NPM has dependency versioning, that's not the issue.

The actual issues are:
> 1) You can delete a package from NPM, and this causes every build that depends on that package to break
> 2) If you delete a package, someone else can grab the name, and every build that depends on that package will pull down this new version instead (possibly including trojan/malware)
> 3) It's common to depend on a large number of small packages (things like is-integer, which provides one tiny utility function and nothing else), and if any of those packages breaks, the project no longer builds

#3 apparently has something to do with JS bundlers being incredibly shitty at removing dead code (aka "tree shaking"), but instead of fixing the problem, the Node community just made their ecosystem even more fucked-up than it already was.

>>53654098
>Doesn't Java have shitloads of things like J2EE and Enterprise Beans that have dozens of class files just for one class method?
Yes, but that's not the same sort of problem.

If you depend on a library with 100 functions/classes, you're trusting one developer (or group of developers) to not fuck up their code.
If you depend on 100 libraries of 1 function each, now you're trusting 100 different random nobodies from the internet to have their shit together.

This week, one of those random nobodies fucked up, and half of the Node ecosystem fell apart.

>>53654439
Honestly what he did wasn't wrong.

NPM fucked up, and he no longer wanted to work with them.

Nothing wrong with that.

>>53654480
I meant more in the sense that he did something that caused his library to stop working. I do agree he was perfectly justified in doing what he did.

I find it ironic that, in a github issue about this, Issac basically said "That's what you get for depending packages provided by third parties." without a shred of self awareness.

>>53651843
>Anybody else enjoying watching Node hipsters get BTFO by this week's NPM fuck-up?
Enjoying greatly. I say this as someone who uses node daily, but has experience in other ecosystems. The current JS community has had this coming for so long, and honestly this is probably less pain than we all deserve.

>>53654776
this so much, the node "community" is filled with so many spineless corporate shills that as you can see here will just bend over backwards to any bullshit that comes their way without even so much as a second thought. it's pathetic and the amount of dependence on silos (npm and github) is embarassing

>>53651843
ITT: poo in loo defending their lazy behavior

>>53655084
Did you actually read the thread? Everyone's mocking node and js at large.

>>53653533
>they offer the supposed guarantee
NPM might not live up to its potential, but the rationale for the principle is still valid.

>>53653817
>Okay, but that should be built in to the core project if the core is dependent on it anyway.
"built into the core" meaning what?

>>53655181
As in completely built-in, not an external dependency pulled in automatically (or at the very least, a known working version hosted first-party rather than third-party).

>>53653844
Node is the hip new thing now (just like rails was a few years back) so there's a lot of jobs for it. Its still shit tho

This is what happens when you let inexperienced web devs run things. They make bad decisions. End of story

>>53655084
Node isn't poo in loo, its more like "half-venti mocha soy chai lattecino in starbucks"

>>53653583
>implying node.js monkeys can actual program and are not just rockstar wordpress ninjas that copy stack overflow code, hope it works and then take 3 day sabbaticals to vape

>>53655203
>[resolve to a] known working version
this is what shrinkwrap does. it freezes dependencies and all sub-dependencies.
>hosted first-party rather than third-party
then you would have to deal with trustworthiness of each host in addition to trustworthiness of the team coding it (i.e. you add the MITM risk on top of the general "effectively anonymously written package")

npm had few good options but I agree that it's disingenuous of npm to say that people can rely on running "npm install" immediately before deploying given that the package authors have a way of un-publishing their work. And it's mind-bending that you can subscribe to a future package update before it's written (in other words, a package can be at version 0.1.0 and you can effectively say that you're willing to take package 0.1.1 if it exists... before it does. which is like saying "I'll eat anything that comes through this hole in the wall")

>>53655335
>then you would have to deal with trustworthiness of each host in addition to trustworthiness of the team coding it
No, I mean the node team would simply fork a particular version of the package in question, and leave it in the npm repo.
Come to think of it, they don't even need to honor self-removals to begin with if the software is open source.

why does node not use local copies of the software? Am I missing something?

Or do people just upgrade to newer packages because higher version number == better? Do they not read change logs etc before deploying live?

Do we really have a whole generation of fucking idiots doing this?

File: clip_image001.png (18 KB, 517x192) Image search: [Google]

18 KB, 517x192

This is 'dll hell' all over again. Will the IT world ever learn?

This is like if Debian pulled libncurses from their repos and your deployment of some binary depended on it being available for installation via apt. It's not a problem localised to npm.

>>53655235
Most of the Nodejs jobs aren't in companies that you'd want to work for.

>>53655388
>Do they not read change logs etc before deploying live?
>change logs
People nowadays don't even fucking read documentation.

>>53655456
then they have nobody but themselves to blame

>>53655454
wrong. That would only mean you can't install anything relying on libncurses using apt.
The problem here is that EVERYTHING that has a the reliance would break. If apt ran like NPM, then libncurses being removed would mean that everything on your computer that relies on it would cease to function.

>>53655357
this is essentially what happened. a lot of developers just showed up and registered the projects that got unpublished within like 10 minutes anyway (most/all of the takeovers were white hat takeovers so there were no disasters sa far as I know).

The problem was that someone was able to remove their packages completely arbitrarily, and npm has realized that and stopped that from being possible (supposedly).

the thing that started this is still a problem, though; npm is a private space, and that's something we can stomach for a bit, but they really made that salient by siding with Kik the company against that guy whose project was named kik. there was basically no case for trademark violation; the risk of confusion between the two was minimal. but npm is run by a corporate body, and their job is to minimize the number of legal entanglements they have, because lawyers cost money even if you're right and even if all you have to do is send some paperwork telling the other guy to fuck himself with an eggplant emoji.

npm was in a shitty situation. they handled it shittily, but maybe every other option would've been shittier. that's possible only because they had shitty policies which weren't comprehensive. hopefully this will change soon.

I think it's a shame that nobody is pointing out that npm has violated the developer's wishes. I appreciate that they technically haven't violated the license, but it's decidedly naive to ignore that the author very clearly wanted his packages off npm. this is like telling your boss you quit and them saying "no".

>>53655499
Wrong. npm downloads local copies to ./node_modules. Your projects would contiue to run. Only new projects or deployments that depend on the now missing would fail to install.

>>53655532
From the GitHub issue, I see a lot of people complaining that their "builds" are breaking.
I'd assume that their build server/CI/etc will fetch these libraries whenever they are configured to run, and since the library is no longer there, yeah.

>>53655604
Yeah. New build == new deployment == fucked.

A lot of hipster dev houses build boards are going red.

What are they programming with node? Honestly asking, I mean isn't plain javascript enough for web development or whatever the shit they are doing?

>>53655912
it's so that starbucks addicted wordpress junkies can be cool and call themselves backend developers.
Also, it gives them the ability to now market themselves as full stack developers.

No, sorry, not developers, artisans

File: 13877123037584.png (10 KB, 600x300) Image search: [Google]

10 KB, 600x300

>>53651843

>>53654480
No one said he was wrong, he got fucked over so he decided the boat sinks with him.

It's NPMcs fault that allowed it to happen in the first place. It shouldn't have handed over kik namespace, it shouldn't have allowed users to freely remove modules, it shouldn't even rely on string literals to identify packages.

It's attempt at simplicity cost it half the fucking repository.

I'm not trying to defend Kik because they could have easily just used Kik-IM or something. But I will say this. What he's saying about trademarks is true. The current system is fucking stupid. You choose to let one case slide, and suddenly, there's established legal precedence for anyone to disregard your trademark. I think shit like this is more a symptom of bad law making than anything else.

>>53655912
You are talking about Node developers, where a large number of them are either too incompetent or ignorant to learn a more proper server side language.
Since they already know JS, Node comes as a god send to them.

>I already know JS, now I can do backend too!

>>53656000
Lel is that really all they do? I mean what the fuck are they doing with javascript. What could you possible do with it except designing some gayshit websites or writing gay modules on wordpress?

>>53656099
I'll be honest here, I've benn dicking around in NodeJs for a while now. I've been trying to build a somewhat complex Server side in it that can do schedule tasking based on user input, procedure management that can be user defined and chain web operations to create logical business processes.

It was a mistake. Nothing works the way it should, there is a pathetically low amount of things you can do with just Node+Express. It can't even handle file uploads out of the box.
You need a module for every fart possible, otherwise you're just in for a world of pain. Half the time the modules don't even work or are not actively developed, or have absolute shit docs. And these are high-profile modules (mongoose, unirest, q ..).

90% of my time is wasted just fixing the modules myself to make shit work. The whole ecosystem is just fucked.

It made me miss C# and Java for christ's sake. Even Python shows leagues more competency, and I fucking hate Python.

Avoid this shit platform. It's only fun for really small stuff. Any real semblance of a serious project and it breaks everywhere.

File: sticker-02-15-2.png (86 KB, 2064x1434) Image search: [Google]

86 KB, 2064x1434

>>53656191
Have you tried other meme languages like Go? I'm not saying it solves the NPM problem, it has the exact same issue but there are vendoring tools now so at least thats an option.

I've been using it for the past year and haven't had any regrets. Just don't try to do templating without a framework, the build in template library is shit. Everything else just werks(tm).

>>53656191
Even as a front end developer, JS is already shitty to work with on browsers.
The worst I've ever come across are Node JS desktop apps. Fucking bundled with NPM and Node, shit's so fucking heavy.

>>53656010
proud of you anon

>>53656588
>unironically recommending a language with no generics

>not vendoring your dependencies

fucking morons.

I mean, that's a given using node, but still. I've written a few small things at work using node, to get a handle on it. Every dependency is vendored in our own repo so nothing like that padleft thing can happen.

>>53656760
Read the GitHub issue discussion and >>53655604
. It largely affects build servers, and only a few existing deployments.

>>53656659
>Node JS desktop app
Things like that exist? Oh god.

>>53656819
I still don't get it. If you vendor your dependencies, your CI/build servers just uses dependencies from your own repo and not the remote ones.

I literally did this last month. I don't recall if anything I made depends on leftpad, but either way my builds have been going just fine all week.

>>53656869
There is Atom, Visual Studio Code, Spotify and other stuff build upon Electron and nw.js.

I made a prototype for some GUI based website generator and found out that stuff takes up nearly 100mb only to install the framework.

>>53656869
>>53656921
>Atom 104 MB
>VSCode 28.2 MB
>Brackets 38.4 MB

>inb4 third world internet so slow that you can't handle a few hundred MBs of data
For fuck's sake, Sublime in comparison is less than 10 fucking MB

>>53656984
I'm not disagreeing, but what triggers me more is that they build editors based on the DOM and everyone is pretending to wonder that it's slow once you open more than a handful of lines.

>>53656984
It's funny how this reliably happens to everyone after they've used linux for too long
>install windows application
>phew it's only 5gb I'll just leave that to download
>install linux application
>30mb? FUCKING BLOAT

>>53657020
Pff, pleb. I had this on Windows, long before I tried Linux.
I'm actually more reluctant to install stuff on my Windows system, since I know every second installer will leave some stuff behind when extracting and uninstalling.

>>53657043
You can't have that on windows
everything needs to distribute its own copy of two dozen libraries which brings even the smallest programs up to hundreds of mb

>every second installer will leave some stuff behind
not every second anon, every

>>53656101
The only other things javascript is really useful for are tracking and interactivity.

>>53657017
And I was just listing out xbox hueg Node desktop apps to strengthen the argument. No harm intended.

>>53657020
I started with Win98SE, and even then, I was very critical on what goes on the hard disk. Or maybe its an autistic sign that I should use Linux.

LEL THAT NIGGA ON SUICIDE WATCH NOW

>nodejs not even once

>npm has admin control over everyone's code
>they can even undo developer's wish to delete their own work

>muh open source
This is why the project fails. Its not LIBRE-Free. "open source" is a code word for corporate tool.

> https://github.com/Idorobots/leftpad-framework
> A JavaScript framework for left-padding your strings!

>>53658088
node.js was a mistake to begin with.

Now those latte sipping jumped up iCuck faggots are learning a hard lesson

>>53653382
Go away JS dev faggot.

>>53658383
I doubt it. The lessen these cucks will learn is to "not give power to the users" and more power to the admins/corporates.

>>53658384
eat a dick retard.

>>53658442
Kill yourself.

>>53658455
if anyone's an authority on people who should kill themselves, i guess it'd be a retarded faggot.

>>53651843
Ayy lmao it's the exact same z-grade journalists at it again https://twitter.com/azerbike/status/712924319974887424

>>53653382
>Anything longer than 0 lines of code has the potential to have a bug, so why not let the development community work on the same function and just agree to use that? The whole point of code is that we don't all need to reinvent the wheel.

Actually that applies only to really shitty developers.
Normal, competent developers have a two to three digit contigent of trivial code they can write without introducing any bug if used to the language/environment/whatever.

Therefore, packages should only exist for non-trivial things in order to slow down bitrot.
For 11-liners there are snippet addons and gists and SO and stuff.

welcome to cuckjs.io - the developer's framework

We give away free lattes, have open, light offices with fun working environments. We spend most of our time trimming our own beards (sometimes we trim each others. If you fuckin know what i mean) and talking about the latest js frameworks. We have a potplant and a maskot.

We don't actually deliver any projects as most of those don't need our assistance (they run wordpress and it just works). However, one guy here knows a bit of javascript (aside from photoshop) and he deploys most of our npm packages. We're kind of a big deal and our most popular package is left-pad.

This was all just from our first funding round. We have no idea what the fuck to do next. Maybe run another funding round?

>isArray that has 880,000 downloads a day, and 18 million downloads in February of 2016. It has 72 dependent NPM packages
>consists of a single line

I knew node programmers were shit but this is a whole new level of shit.

>>53651843
So there are 4 things wrong:

1. micro packages
2. pulling directly from repos
3. the security
4. who is in charge of npm

wew lad

>>53651843
No wonder modern websites run like dogshits, it's all clueless non-dev retards running the shitshow.

File: 97351337_o.jpg (109 KB, 326x491) Image search: [Google]

109 KB, 326x491

>>53658615
forgot image

Ken, Pike and Rsc must be laughing their asses off because they've been trying to push the idea that abstraction and avoidance of code duplication has a negative impact as well into the heads of people for atleast two decades now.
But hey - let's just keep dynamically linking everything and create dependencies everywhere, nothing could go wrong with massive dependency graphs like that, or could it?
Google has been fighting this issue for ages as well, which is one of the reason why they were using containers long before Docker arrived, but this idea doesn't seem to have spread across the rest of the community.

>>53658701
sounds like noodle soup. Don't see the long term benefit, only code artisans think this way

>>53658633
It gets downloaded that much becasue of the 72 dependent packages.

If you require a package that required another package that required one of those 72 packages...then you're downloading 'isArray' every time you update.

>>53658088
If it were truly "Libre", then the original creator should not even have the right to unpublish.

Open source code belongs to the community, not to the guy who happens to have written it.

>>53658750
That makes it even worse.
If someone actually uses one of those 72 dependent packages,
then they use code so shitty, it fucking imports a trivial one-liner.

>>53658701
>Ken, Pike and Rsc
They really aren't in the positions to judge, after all they have done.

when is this ride going to end? I want the world to get off

>put up tons of AGPL licensed node packages
>sue half of the web