• TootSweet@lemmy.world
    link
    fedilink
    English
    arrow-up
    178
    arrow-down
    3
    ·
    3 months ago

    I’ve literally told my coworkers “I’m not saying we should never use dependencies. But every time you add a dependency, you should hate yourself a little bit more. Some self flagellation can’t hurt either.”

    • lad@programming.dev
      link
      fedilink
      English
      arrow-up
      12
      arrow-down
      2
      ·
      3 months ago

      So, every time I use a library to recognize patterns on a picture, to interact with Kafka, do some SSL, or do database mapping, I should hate myself, noted

      We did Elastic API integration in Java by creating and maintaining huge half-codegenerated transformer from code to Elasticsearch’s JSONs, it was a pain and it was source of more than one error

      Dependences should be reviewed and audited to make sure they do what you need and they are worth using. Just making everything in-house gets you nowhere most of the time

      • aaro@lemmy.world
        link
        fedilink
        arrow-up
        17
        ·
        3 months ago

        Nobody is arguing that you should never depend on anything and create everything yourself, but adding a dependency for literally a one liner function is awful. Like one of the Go proverbs goes, a little copying is better than a little dependency.

        • lad@programming.dev
          link
          fedilink
          English
          arrow-up
          3
          ·
          3 months ago

          Yeah, there’s mention of doing the opposite in C++ community in a neighbouring thread

      • JackbyDev@programming.dev
        link
        fedilink
        English
        arrow-up
        2
        ·
        3 months ago

        That is what they were getting at by some self flagellation can’t hurt either. That sometimes “hating yourself” (adding dependencies) is worth it.

        • lad@programming.dev
          link
          fedilink
          English
          arrow-up
          2
          arrow-down
          1
          ·
          3 months ago

          I read it as “also throw in some physical pain cause just feeling bad is not quite enough” 🤔

  • EnderMB@lemmy.world
    link
    fedilink
    arrow-up
    174
    ·
    3 months ago

    I’ve honestly never understood why someone at Google or Mozilla hasn’t decided to write a JavaScript Standard Library.

    I’m not opposed to NPM, because dumb shit like this happens everywhere. If such a package is used millions of times a day, perhaps it would make sense to standardise it and have it as part of the fucking browser or node runtime…

    • DefederateLemmyMl@feddit.nl
      link
      fedilink
      arrow-up
      46
      arrow-down
      2
      ·
      3 months ago

      I’ve honestly never understood why someone at Google or Mozilla hasn’t decided to write a JavaScript Standard Library.

    • seatwiggy@lemmy.dbzer0.com
      link
      fedilink
      English
      arrow-up
      23
      ·
      3 months ago

      There’s a js runtime called bun that is 90-something% feature equivalent to node and also has built in alternatives to many packages like express and bcrypt. I haven’t used it myself so I can’t speak to its quality but it’s always nice to see a little competition

      • Dr. Moose@lemmy.world
        link
        fedilink
        English
        arrow-up
        16
        ·
        3 months ago

        So is Deno! You can easily import npm: and node: packages and run typescript without transpiling. With Bun and Deno there’s no reason to use Node tbh.

        • sfxrlz@lemmy.world
          link
          fedilink
          arrow-up
          4
          ·
          3 months ago

          For starting new projects i absolut agree. At work we have a legacy react app that just will not run on bun and for deno we would probably have to rewrite some stuff.

          • Dr. Moose@lemmy.world
            link
            fedilink
            English
            arrow-up
            5
            ·
            3 months ago

            I’ve updated some legacy nodejs to Deno recently and it’s actually not bad! If you’re using serverless Denoflare is super convenient and DTN is a tool for building Deno to NPM (both esm and commonjs) so you can have easy backwards compatibility if needed, it even shims all of the Deno standard lib.

            It’s really impressive what Deno and Bun people have done - for the first time I actually somewhat enjoy server side JS!

            • sfxrlz@lemmy.world
              link
              fedilink
              arrow-up
              3
              ·
              3 months ago

              That sounds neat. For our nodejs server this could be done without too much effort. Will keep that in mind, thanks. But I also have to check for the cra app we’re having a lot of issues with.

      • jaemo@sh.itjust.works
        link
        fedilink
        arrow-up
        3
        arrow-down
        1
        ·
        3 months ago

        Bun is used by us in production, in dev, everywhere. It’s great. We don’t even use (p)npm to build js packages on our docker images for apps anymore.

    • rimjob_rainer@discuss.tchncs.de
      link
      fedilink
      arrow-up
      28
      arrow-down
      6
      ·
      3 months ago

      I wish they would replace JavaScript with something that was made for what it’s used for. JavaScript should have died years ago.

    • mindbleach@sh.itjust.works
      link
      fedilink
      arrow-up
      19
      ·
      3 months ago

      That’s basically how Javascript gets extended. I put off learning jQuery for so long that all the features I’d want are now standard.

    • Blackmist@feddit.uk
      link
      fedilink
      English
      arrow-up
      9
      ·
      3 months ago

      Support for int64s out of the box and without jumping through hoops would be nice.

  • ChaoticNeutralCzech@feddit.org
    link
    fedilink
    English
    arrow-up
    124
    arrow-down
    2
    ·
    edit-2
    3 months ago

    If you think is-number can be replaced with a one-liner, you don’t have the enterprise code mindset. What if the world gets more inclusive and MMXXIV, ½ and ⠼⠁ become recognized as numbers? 𒐍𓆾 were numbers in the past but what if people start assigning numeric value to other characters? Are 🖐🔟💯🆢🂵🀌🁅 numbers of the future???
    /s

    I’m not even all kidding, Regex implementations are split on whether “٣” matches \d.

    • modeler@lemmy.world
      link
      fedilink
      arrow-up
      28
      ·
      3 months ago

      All junior devs should read OCs comment and really think about this.

      The issue is whether is_number() is performing a semantic language matter or checking whether the text input can be converted by the program to a number type.

      The former case - the semantic language test - is useful for chat based interactions, analysis of text (and ancient text - I love the cuneiform btw) and similar. In this mode, some applications don’t even have to be able to convert the text into eg binary (a ‘gazillion’ of something is quantifying it, but vaguely)

      The latter case (validating input) is useful where the input is controlled and users are supposed to enter numbers using a limited part of a standard keyboard. Clay tablets and triangular sticks are strictly excluded from this interface.

      Another example might be is_address(). Which of these are addresses? ‘10 Downing Street, London’, ‘193.168.1.1’, ‘Gettysberg’, ‘Sir/Madam’.

      To me this highlights that code is a lot less reusable between different projects/apps than it at first appears.

      • ChaoticNeutralCzech@feddit.org
        link
        fedilink
        English
        arrow-up
        20
        ·
        edit-2
        3 months ago

        You may argue that writiing 2024 as “MMXXIV” and not “ⅯⅯⅩⅩⅣ” is a mistake but while typists who’d use “2OlO” for “2010” (because they grew up using cost-reduced typewriters) are dying out, you’ll never get everyone to use the appropriate Unicode for Roman numerals.

        • oo1@lemmings.world
          link
          fedilink
          English
          arrow-up
          5
          ·
          3 months ago

          Even if they did use unicode, any codeset , glyph or language changes over time , ulimately they emerge out of communication, not the other way round.

          If some culture decides they want to use the glyph “2” to mean a word “to”, they can and will, and no codeset is going to stop them. And if they get their message to their intended audience it doesnt matter that somebody else’s isnumber fuction get’s it wrong.

          A person, community or standard codeset or dictionary cannot deny the accuracy or content of encrypted communication just because they can’t decipher it.

          Put another way a more robust isnumber() should maybe have a second argument to specify the codeset being used, and maybe whether written words - in some defined languare - are also to be converted

          On the other hand “1/4/12” is not a fucking date.

          • ChaoticNeutralCzech@feddit.org
            link
            fedilink
            English
            arrow-up
            3
            ·
            3 months ago

            “1/4/12”

            Excel is going to have a Date with you, and it’s not asking further questions. If you didn’t wish to consent to have your col’n shattered, you should have preceded it with a '.

            • oo1@lemmings.world
              link
              fedilink
              English
              arrow-up
              2
              ·
              3 months ago

              yeah, I’ve been rohypnolled by both microsoft and oracle, and general cloud shit , and various co workwers so many times now i barely even notice.

              Hilariosly excel has recently started asking now, I think it says something like: “I’ve just fucked up several columns in your csv that you went to the bother of enquoting.” “Do you want me to reload it and i’ll try to un-fuck a few of those columns? ( whispers to audience - but probably not all of them - tee hee).”

              I think my employer just needs to employ 25-50 more “delivery” managers and empower them to spend millions on a prettier barrel for us to bend over, that’ll solve it. Maybe it’ll have flufffy handcuffs.

        • Contravariant@lemmy.world
          link
          fedilink
          arrow-up
          3
          ·
          edit-2
          3 months ago

          Wouldn’t surprise me if even Unicode advices against using Roman numerals depending on meaning.

          It was mostly a joke (though frankly if you try any implementation more complicated than that joke you’re going to have a bad time).

    • bitfucker@programming.dev
      link
      fedilink
      arrow-up
      7
      ·
      3 months ago

      So the only valid digits are arabic numbers but arabic script numbers are not a valid digit? If we want programming to be inclusive then doesn’t that make sense to also include the arabic script number?

      • ChaoticNeutralCzech@feddit.org
        link
        fedilink
        English
        arrow-up
        21
        ·
        edit-2
        3 months ago

        So the only valid digits are arabic numbers but arabic script numbers are not a valid digit?

        Some people writing Regex implementations have that opinion. I’ve refrained from saying mine.

        If we want programming to be inclusive then doesn’t that make sense to also include the arabic script number?

        Maybe. IMO, number tests should be chosen/implemented based on the project’s requirements. If you want to include every Unicode character or string pattern anyone’s ever used to convey a numeric value, that would be a long and growing list. Arguably, it’s impossible: the word “elf” means a number if interpreted as German for “eleven” but not if interpreted as English for 🧝.

        • bitfucker@programming.dev
          link
          fedilink
          arrow-up
          7
          ·
          3 months ago

          Yeah, but “elf” are not digits. Digits are a symbol abstracted from the language itself. Does 5 and V convey different meanings in the context of digits? And yeah, I can see why they would argue about the implementation because inclusivity is important. Especially when designing a language implementation. If you are designing it wrong, it will be very hard to extend it in the future. But for application level implementation, go nuts.

          • ChaoticNeutralCzech@feddit.org
            link
            fedilink
            English
            arrow-up
            5
            ·
            edit-2
            3 months ago

            You are right, “elf” is a stretch, it does not make sense to parse it as a number. But in some languages, the string “15 240,5” is just how a number is written (yes, that’s a U+2009 THIN SPACE, you can’t stop me from using it as a thousand separator in German). Obviously, despite having a , on their numpads, German programmers still expect computers to parse numbers with decimal dots and interpret commas as list values.

            • bitfucker@programming.dev
              link
              fedilink
              arrow-up
              4
              ·
              edit-2
              3 months ago

              Alright, maybe you misunderstood the term digits with numbers. When parsing a digit, you do not attach semantic yet to the building blocks. A \d regex parser does not care that the string “555” is not equivalent to “VVV”. All it cares about is that there is the digit “5” or “V”. In the same vein, regex parser should not try to parse IV as a single symbol.

              • ChaoticNeutralCzech@feddit.org
                link
                fedilink
                English
                arrow-up
                3
                ·
                edit-2
                3 months ago

                It’s not just digits. Nobody is expecting it to understand language yet but the parser is-number still returns true for "2e3" or "0x0F". It tells you whether the string can be interpreted as a real numeric value.

                • bitfucker@programming.dev
                  link
                  fedilink
                  arrow-up
                  1
                  ·
                  3 months ago

                  Yeah, hence is-“number”. But we were talking about regex are we. A number representation can use digits but it can also not. Much like how you make a number using the word “elf”.

            • bitfucker@programming.dev
              link
              fedilink
              arrow-up
              2
              ·
              3 months ago

              As I said, a digit is a symbol. Much like how we use letters to compose words, digits are used to construct numbers. When you start to repeat or reuse the symbol then it is no longer a singular symbol (what regex \d does). Hence my comments on why arabic script are one of the understandable debates since i18n is a valid concern as much as a11y is.

  • floofloof@lemmy.ca
    link
    fedilink
    English
    arrow-up
    91
    ·
    edit-2
    3 months ago

    It looks like “is-number” was never more than a few simple lines of code. It still has 68 million downloads per week.

    https://www.npmjs.com/package/is-number

    I checked one of our main projects at work, and it’s in there as a dependency 6 levels deep via the “sass” package.

    • sushibowl@feddit.nl
      link
      fedilink
      arrow-up
      47
      ·
      3 months ago

      is-number is a project by John Schlinkert. John has a background in sales and marketing before he became an open source programmer and started creating these types of single function packages. So far he has about 1400 projects. Not all of them are this small, though many are.

      He builds a lot of very basic functionality packages. Get the first n values from an array. Sort an array. Set a non-enumerable property on an object. Split a string. Get the length of the longest item in an array. Check if a path ends with some string. It goes on and on.

      If you browse through it’s not uncommon to find packages that do nothing but call another package of his. For example, is-valid-path provides a function to check if a windows path contains any invalid characters. The only thing it does is import and call another package, is-invalid-path, and inverses its output.

      He has a package called alphabet that only exports an array with all the letters of the alphabet. There’s a package that provides a list of phrases that could mean “yes.” He has a package (ansi-wrap) to wrap text in ANSI color escape codes, then he has separate packages to wrap text in every color name (ansi-red, ansi-cyan, etc).

      To me, 1400 projects is just an insane number, and it’s only possible because they are all so trivial. To me, it very much looks like the work of someone who cares a lot about pumping up his numbers and looking impressive. However the JavaScript world also extolled the virtues of these types of micro packages at some point so what do I know.

      • NotNotMike@programming.dev
        link
        fedilink
        arrow-up
        15
        ·
        3 months ago

        Wow you’re right, he’s the author of the infamous “is-odd” and “is-even” packages. What an odd person.

        Someone in the OP PR mentioned the amount of energy used to download these tiny packages and its actually something crazy to think about

        • floofloof@lemmy.ca
          link
          fedilink
          English
          arrow-up
          7
          ·
          3 months ago

          It makes you wonder why anyone uses them though, since so many of them do things that are trivial in modern JavaScript.

          • nickwitha_k (he/him)@lemmy.sdf.org
            link
            fedilink
            arrow-up
            5
            ·
            3 months ago

            And anyone who has been around for a while should remember when left-pad broke node.js. Including unnecessary dependencies, instead of writing trivial code is just bad practice.

      • nickwitha_k (he/him)@lemmy.sdf.org
        link
        fedilink
        arrow-up
        3
        ·
        3 months ago

        To me, 1400 projects is just an insane number, and it’s only possible because they are all so trivial.

        Holy shit. I’m going to have to go through my team’s dependencies. I don’t feel confident that someone “maintaining” that many projects is going to be able to keep all bad actors at bay. Not to mention, none of the examples of his libraries that I’ve seen SHOULD be libraries.

  • Randelung@lemmy.world
    link
    fedilink
    arrow-up
    48
    ·
    3 months ago

    Seems to me the only reason for these kind of dependencies to exist in the first place is that people really, really, really, REALLY can’t code.

    • Bourff@lemmy.world
      link
      fedilink
      arrow-up
      22
      arrow-down
      1
      ·
      3 months ago

      Well javascript is the default language of the web, so no surprise it attracts a lot of newbies.

      • Randelung@lemmy.world
        link
        fedilink
        arrow-up
        15
        ·
        edit-2
        3 months ago

        Yeah but if noobs use it as a dependency, who made the package?

        And what projects are noobs working on that trigger 440GB of weekly traffic?

        I fear most noobs remain noobs.

        • Bourff@lemmy.world
          link
          fedilink
          arrow-up
          5
          ·
          3 months ago

          Don’t ask me, all these one-line packages are ridiculous, cause greater issues than whatever they solve, and are (part of) the reason why js and it’s ecosystem are not considered seriously by other developers.

    • sus@programming.devOP
      link
      fedilink
      arrow-up
      70
      ·
      edit-2
      3 months ago

      is-number is a one-line function. (though it’s debatable if a function that complex should be compressed to one line)

      You may have heard of a similar if more extreme “microdependency” called is-even. When you use an NPM package, you also need all the dependencies of that package, and the dependencies of those dependencies recursively. Each package has some overhead, eventually leading to this moment in time.

      • sparkle@lemm.ee
        link
        fedilink
        Cymraeg
        arrow-up
        11
        arrow-down
        1
        ·
        edit-2
        3 months ago

        Web bloat in a nutshell and why we need to switch to things like Web Assembly more than ever. It’s not WASM, but I used Laminar which is a Scala.js library, and it’s the absolute pinnacle of (frontend) web development. Scala in general is just really great for idiomatic web code, its flexibility is unbeatable.

        Another amazing alternative would be anything Rust. In fact I’ve used that much more than Scala for web. I’ve mainly used Leptos for full-stack and and Actix for backend, but I’ve seen Dioxus and Axum in good use and they both seem really great too.

        Apparently Lemmy uses Leptos for its UI so… that’s a +1.

        • Auzy@beehaw.org
          link
          fedilink
          arrow-up
          3
          ·
          3 months ago

          I feel like this is completely avoidable bloat.

          You could quite easily create this bloat in any language

    • Gamma@beehaw.org
      link
      fedilink
      English
      arrow-up
      19
      ·
      edit-2
      3 months ago

      It handles a few weird edge cases, mostly. Only 7 meaningful lines of code and almost 70M downloads week!

      • Admiral Patrick@dubvee.org
        link
        fedilink
        English
        arrow-up
        19
        ·
        3 months ago

        Sadly, it’s a stupid dependency of a lot of things.

        Just ran npm explain is-number on one of my projects, and it’s a dependency of to-regex-range which is a dependency of fill-range which is a dependency of…and so on up the chain.

        I was hoping I wouldn’t find that in there, but alas, it is.

      • nickwitha_k (he/him)@lemmy.sdf.org
        link
        fedilink
        arrow-up
        7
        arrow-down
        1
        ·
        edit-2
        3 months ago

        I don’t get the concept that depending on 7 lines of code from a third-party package is remotely acceptable. It’s expanding the potential attack surface to save a dev from templating 7 lines of boilerplate. There’s no net benefit or appreciable time saved.

        I’m glad I don’t have to deal with this regularly.

        ETA: The package is even MIT licensed! There’s no excuse but laziness and not wanting to understand the code to import this rather than inlining or implementing a novel version. If I can spend the time to write:

        if err != nil {
          slog.Warn("well shit", "error", err)
          return err
        }
        

        after every function call…I just didn’t get it.

    • lad@programming.dev
      link
      fedilink
      English
      arrow-up
      2
      ·
      3 months ago

      I’m not sure, this is a valid estimate. If they were to replace is-number with its contents, that would mean that the economy is only in HTTP-related overhead.

      It maybe will make difference because of building phase, lock-files, package-files, but I am not sure that data-traffic difference is that big

  • 418teapot@lemmy.world
    link
    fedilink
    English
    arrow-up
    25
    arrow-down
    3
    ·
    edit-2
    3 months ago

    It’s kind of insane how bad this whole is-number thing is. It’s designed to tell you if a string is numeric, but I would argue if you’re ever using that you have a fundamental design problem. I hate dynamic typing as much as anyone else, but if forced to use it I would at least try to have some resemblance of sanity by just normalizing it to an actual number first.

    Just fucking do this…

    const toRegexRange = (minStr, maxStr, options) => {
      const min = parseInt(minStr, 10);
      const max = parseInt(maxStr, 10);
      if (isNaN(min) || isNaN(max)) throw Error("bad input or whatever");
      // ...
    

    Because of the insanity of keeping them strings and only attempting to validate them (poorly) up front you open yourself up to a suite of bugs. For example, it took me all of 5 minutes to find this bug:

    toRegexRange('+1', '+2')
    // returns "(?:+1|+2)" which is not valid regexp
    
    • thesmokingman@programming.dev
      link
      fedilink
      arrow-up
      40
      ·
      3 months ago

      The problem is the underlying API. parseInt(“550e8400-e29b-41d4-a716-446655440000”, 10) (this is a UUID) returns 550. If you’re expecting that input to not parse as a number, then JavaScript fails you. To some degree there is a need for things to provide common standards. If your team all understands how parseInt works and agrees that those strings should be numbers and continues to design for that, you’re golden.

      • 418teapot@lemmy.world
        link
        fedilink
        English
        arrow-up
        11
        ·
        3 months ago

        Yeah good point. I suppose the problem is this function that operates on numbers allows numeric strings to be passed in in the first place. The only place where I would really expect numeric strings to exist is captured directly from user input which is where the parsing into a numeric data type should happen, not randomly in a library function.

  • KillingTimeItself@lemmy.dbzer0.com
    link
    fedilink
    English
    arrow-up
    15
    arrow-down
    5
    ·
    3 months ago

    i think programmers need a self inflicted rule of it being less than 500 lines of code means you need to write it instead of using a pre written package/library.

    On the other hand, we could make the packages like is-number the worst possible way of checking if something is a number, which would be really fucking funny…

      • KillingTimeItself@lemmy.dbzer0.com
        link
        fedilink
        English
        arrow-up
        3
        arrow-down
        3
        ·
        edit-2
        3 months ago

        well obviously shit like wozmon exists, but there definitely needs to be a rule to prevent handicap shit like “is-number”

        the vast majority of programmers have the problem solving capability of a child who took shit apart constantly due to autism.

    • jonne@infosec.pub
      link
      fedilink
      arrow-up
      4
      ·
      3 months ago

      Eh, I can see why you’d want something like that in a language like JavaScript where pretty much all native ways of validating input have weird edge cases. Sometimes you just want the community to figure it out for you instead of reinventing the wheel and finding out you missed something later on.

      A whole package that handles validation of inputs, or a math package would be better than a package that just has one function tho.

      • KillingTimeItself@lemmy.dbzer0.com
        link
        fedilink
        English
        arrow-up
        4
        ·
        3 months ago

        yeah, generally it seems like you want a more broad package, if for something like validating input, it would be comprehensive across all input for example.

        There’s one package on npm called is-even and i think another called is-odd, which according to the author are “learning experiences” which have, considerable amounts of downloads, even though it’s literally just is-even checking. Shit like that should probably get you banned from using keyboards for the rest of your life lol

    • lily33@lemm.ee
      link
      fedilink
      arrow-up
      1
      ·
      3 months ago

      And who hasn’t contributed any code to this particular repo (according to github insights).

      • GBU_28@lemm.ee
        link
        fedilink
        English
        arrow-up
        1
        ·
        3 months ago

        Not familiar with this exact team, but a skilled reviewer/issue triager is useful. We can hope this person at least tested the changes.