| ▲ | treve 6 days ago |
| The '50 extra packages' one is wild. The author of those packages has racked up a fuckload of downloads. What a waste of total bandwidth and disk space everywhere. I wonder if it's for clout. |
|
| ▲ | bikeshaving 6 days ago | parent | next [-] |
| The maintainer who this piece of “cursed knowledge” is referencing is a member of TC39, and has fought and died on many hills in many popular JavaScript projects, consistently providing some of the worst takes on JavaScript and software development imaginable. For this specific polyfill controversy, some people alleged a pecuniary motivation, I think maybe related to GitHub sponsors or Tidelift, but I never verified that claim, and given how little these sources pay I’m more inclined to believe he just really believes in backwards compatibility. I dare not speak his name, lest I incur the wrath of various influential JavaScript figures who are friends with him, and possibly keep him around like that guy who was trained wrong as a joke in Kung Pow: Enter the Fist. In 2025, I’ve moderated my opinion of him; he does do important maintenance work, and it’s nice to have someone who seems to be consistently wrong in the community, I guess. |
| |
| ▲ | karel-3d 6 days ago | parent | next [-] | | to save everyone else a search, it's probably ljharb. (I am not a member of JS community, so, come and attack me.) | | |
| ▲ | Sammi 6 days ago | parent | next [-] | | Saga starts here: https://x.com/BenjaminMcCann/status/1804295731626545547?lang... https://github.com/A11yance/axobject-query/pull/354 Specifically Ben McCann along with other Svelte devs got tired of him polluting their dependency trees with massive amount of code and packages and called him out on it. He doubled down and it blew up and everyone started migrating away from his packages. ljharb also does a lot of work on js standards and is the guy you can thank for globalThis. Guy has terrible taste and insists everyone else should abide by it. | | | |
| ▲ | sunaookami 6 days ago | parent | prev [-] | | Wow that's some deep rabbit hole. This guy gets paid per XY npm downloads and games the system through this. Awful. | | |
| ▲ | karel-3d 6 days ago | parent | next [-] | | There is apparently a tool, that you can upload your package.json and it will show you how much dependencies are controlled by ljharb https://voldephobia.rschristian.dev/ | | |
| ▲ | rschristian 2 days ago | parent | next [-] | | Ha, was wondering why I started getting a few more stars all of a sudden. For extra context: I created the tool ~9 months prior to the meltdown as one could vaguely mention an individual trolling over NPM deps and absolutely everyone in the ecosystem with a bit of experience would know who was being referred to, aka, "You Know Who". And, if you dared mention him by name, he'd eventually show up reciting his download counts in endless "appeal to authority"-style arguments, trying to brow-beat people into accepting that he knows more or whatever, ergo, "He Who Must Not Be Named" (at least, if you didn't want him being annoying in your mentions). There's a number of "-phobia" apps in the ecosystem and given the negative impact he has on dependency trees, it felt fitting to offer a similar, somewhat satirical, app to detect how much of your dependency tree he controlled. | |
| ▲ | dvfjsdhgfv 6 days ago | parent | prev | next [-] | | It looks like if I wanted to install a particular piece of software on many modern websites and I didn't have enough resources to hack node itself, talking to this guy would be a logical choice. | | |
| ▲ | karel-3d 5 days ago | parent [-] | | Eh, as much as I think this guy has very weird opinions; if he wanted to cause harm, he would do it many years ago. When I started looking him up, he DOES do a lot of good work in the ecosystem. Which makes this more complex issue. But, also, he does this "backwards compatibility forever" insanity. I think it's his crusade. |
| |
| ▲ | goriv 5 days ago | parent | prev [-] | | Damn, I just checked a random express project I built and there are a lot of things underlined in red there. I think the most amazing one is https://www.npmjs.com/package/is-number-object, which has a stupidly large dependency tree. |
| |
| ▲ | 6 days ago | parent | prev [-] | | [deleted] |
|
| |
| ▲ | titanomachy 6 days ago | parent | prev | next [-] | | This is Wimp Lo! We trained him wrong on purpose, as a joke. Long time since I thought of that movie. | | | |
| ▲ | jddj 6 days ago | parent | prev | next [-] | | Looking forward to this Jia Tan sequel in a few years' time. | |
| ▲ | Havoc 6 days ago | parent | prev [-] | | Forgive my ignorance of js matters but how does adding packages improve backward compatibility at all? | | |
| ▲ | motorest 6 days ago | parent [-] | | > Forgive my ignorance of js matters but how does adding packages improve backward compatibility at all? The scheme is based on providing polyfills for deprecated browsers or JavaScript runtimes. Here is the recipe. - check what feature is introduced by new releases of a browser/JavaScript runtime, - put together a polyfill that implements said feature, - search for projects that use the newly introduced feature, - post a PR to get the project to consume your polyfill package, - resort to bad faith arguments to pressure projects to accept your PR arguing nonsense such as "your project must support IE6/nodejs4". Some projects accept this poisoned pill, and whoever is behind these polyfill packages further uses their popularity in bad faith arguments ("everyone does it and it's a very popular package but you are a bad developer for not using my package") I had the displeasure of stumbling upon PRs where tis character tries to argue that LTS status does not matter at all I'm determining whether a version of node.js should be maintained, and the fact that said old version of node.js suffers from a known security issue is irrelevant because he asserts it's not a real security issue. | | |
|
|
|
| ▲ | Centigonal 6 days ago | parent | prev | next [-] |
| It's probably a clout thing, or just a weird guy (Hanlon's Razor), but a particularly paranoid interpretation is that this person is setting up for a massive, multi-pronged software supplychain attack. |
| |
| ▲ | godelski 6 days ago | parent | next [-] | | Those don't have to be mutually exclusive. Often those with clout are targeted for supplychain attacks. Take xz as an example. Doesn't seem unreasonable that a solo dev or small team looks to either sell their projects or transfer them to someone else (often not even with money exchanging hands). Or even how old social media accounts are hacked so that they can appear as legitimate accounts. I'm big on Hanlon's Razor too, but that doesn't mean the end result can't be the same. | |
| ▲ | motorest 6 days ago | parent | prev | next [-] | | > (...) but a particularly paranoid interpretation is that this person is setting up for a massive, multi-pronged software supplychain attack. That person might not be doing it knowingly or on purpose, but regardless of motivations that is definitely what is being done. | | |
| ▲ | whilenot-dev 6 days ago | parent [-] | | A package "for-each"[0] that depends on a package "is-callable"[1], just to make forEach work on objects? Nope, not buying the goodwill here. [0]: https://www.npmjs.com/package/for-each [1]: https://www.npmjs.com/package/is-callable | | |
| ▲ | whilenot-dev 6 days ago | parent | next [-] | | To be fair, he himself removed his unnecessary dependency that caused the explosion of dependencies: https://github.com/A11yance/aria-query/commit/ee003d2af54b6b... EDIT: Oops, he just did the changelog entry. The actual fix was done by someone else: https://github.com/A11yance/aria-query/commit/f5b8f4c9001ba7... | |
| ▲ | motorest 6 days ago | parent | prev | next [-] | | Older browsers don't support foreach, so it's not like a polyfill is unheard of https://caniuse.com/?search=foreach | | |
| ▲ | whilenot-dev 6 days ago | parent [-] | | Are you serious here? It isn't a polyfill, it's supposed to work on plain objects which isn't part of the spec at all. Besides that, Array.prototype.forEach is only unsupported in Android Browser 4.3 (from July 2013) and IE8 (from May 2008). Seems like a weird reasoning to add it to packages in 2025. | | |
| ▲ | motorest 6 days ago | parent | next [-] | | > Are you serious here? I am. If you check the definition of polyfill, you'll eventually arrive at something like the following: > A polyfill is a piece of code (usually JavaScript on the Web) used to provide modern functionality on older browsers that do not natively support it. https://developer.mozilla.org/en-US/docs/Glossary/Polyfill I think we would agree that foreach fits the definition, happy path, and whole purpose of a polyfill. if you read up on forEach, you will notice that Array.prototype.forEach requires objects to be callable. https://developer.mozilla.org/en-US/docs/Web/JavaScript/Refe... | | |
| ▲ | whilenot-dev 6 days ago | parent [-] | | > I think we would agree that foreach fits the definition, happy path, and whole purpose of a polyfill I think you got that all wrong and strongly misinterpret "modern functionality" as some generic library here... Runtimes are developed against a certain spec, in this case ECMAScript, and "modern functionality" is meant as addition to iterations of such a spec. As it happens, iterations of specifications and runtimes are seldomly provided by the same entity, so both are moving forward with newly supported features, or more "modern functionality", individually. This behavior provokes some difficult challenges for developers. For once, they would like to work against the latest spec with its newest features, but, due to the natural dynamic of various entities doing things in different ways, these developers would also need to support older/other runtimes where such a feature is not (yet) implemented natively. Now, to bridge these supported-feature-gaps developers came up with an interesting concept: Instead of waiting and relying on the runtime to support such a new feature, it might be possible to provide an implementation as workaround, hence the "polyfill". So, if something A isn't currently in the spec, nor B even proposed or in discussion to be in the spec, nor C provided by any current runtime (and relied upon by developers), then I'd conclude that such a functionality is not considered to be a polyfill, as it isn't to be seen as workaround for the supported-feature-gaps due to the difference in runtimes. | | |
| ▲ | motorest 5 days ago | parent [-] | | > I think you got that all wrong and strongly misinterpret "modern functionality" as some generic library here... I didn't. I am telling you exactly why polyfills exist, and why people use them. More importantly, I am explaining to you why this scheme is successful. You don't need to write any wall of text that adds nothing. Read the facts I laid out, and use that to either understand how things work, or don't. It's your choice. | | |
|
| |
| ▲ | 5 days ago | parent | prev [-] | | [deleted] |
|
| |
| ▲ | karel-3d 5 days ago | parent | prev [-] | | ljharb has commit rights (edit: maybe? maybe not. not sure) to nodejs itself https://github.com/nodejs/node/issues/55918 so.. I don't know. if he wanted to bad he would already |
|
| |
| ▲ | nullc 5 days ago | parent | prev | next [-] | | > is setting up for a massive, multi-pronged software supplychain attack The problem with this view is that the JS ecosystem is already doing that all on its own without that particular contributor. (as has the rust ecosystem, which slavishly copied JS' bad practices). Eliminate the one guy and JS is still pervasively vulnerable to these attacks. The polyfills are the least of it, because at least they should be completely stable and could just be copied into projects. Other dependencies not so much. | |
| ▲ | 6 days ago | parent | prev [-] | | [deleted] |
|
|
| ▲ | fastball 6 days ago | parent | prev | next [-] |
| The author is almost certainly ljharb. |
| |
| ▲ | 0x696C6961 6 days ago | parent [-] | | I'm convinced he's a rage baiting account. No-one can consistently have such bad takes. | | |
|
|
| ▲ | smitty1e 6 days ago | parent | prev | next [-] |
| It does raise the idea of managed backward compatibility. Especially if you could control at install time just how far back to go, that might be interesting. Also an immediately ridiculous graph problem for all but trivial cases. |
|
| ▲ | 6 days ago | parent | prev | next [-] |
| [deleted] |
|
| ▲ | 6 days ago | parent | prev [-] |
| [deleted] |
