Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
Centigonal 6 days ago

It's probably a clout thing, or just a weird guy (Hanlon's Razor), but a particularly paranoid interpretation is that this person is setting up for a massive, multi-pronged software supplychain attack.

godelski 6 days ago | parent | next [-]

Those don't have to be mutually exclusive. Often those with clout are targeted for supplychain attacks. Take xz as an example. Doesn't seem unreasonable that a solo dev or small team looks to either sell their projects or transfer them to someone else (often not even with money exchanging hands). Or even how old social media accounts are hacked so that they can appear as legitimate accounts.

I'm big on Hanlon's Razor too, but that doesn't mean the end result can't be the same.

motorest 6 days ago | parent | prev | next [-]

> (...) but a particularly paranoid interpretation is that this person is setting up for a massive, multi-pronged software supplychain attack.

That person might not be doing it knowingly or on purpose, but regardless of motivations that is definitely what is being done.

whilenot-dev 6 days ago | parent [-]

A package "for-each"[0] that depends on a package "is-callable"[1], just to make forEach work on objects? Nope, not buying the goodwill here.

[0]: https://www.npmjs.com/package/for-each

[1]: https://www.npmjs.com/package/is-callable

whilenot-dev 6 days ago | parent | next [-]

To be fair, he himself removed his unnecessary dependency that caused the explosion of dependencies: https://github.com/A11yance/aria-query/commit/ee003d2af54b6b...

EDIT: Oops, he just did the changelog entry. The actual fix was done by someone else: https://github.com/A11yance/aria-query/commit/f5b8f4c9001ba7...

motorest 6 days ago | parent | prev | next [-]

Older browsers don't support foreach, so it's not like a polyfill is unheard of

https://caniuse.com/?search=foreach

whilenot-dev 6 days ago | parent [-]

Are you serious here? It isn't a polyfill, it's supposed to work on plain objects which isn't part of the spec at all. Besides that, Array.prototype.forEach is only unsupported in Android Browser 4.3 (from July 2013) and IE8 (from May 2008). Seems like a weird reasoning to add it to packages in 2025.

motorest 6 days ago | parent | next [-]

> Are you serious here?

I am.

If you check the definition of polyfill, you'll eventually arrive at something like the following:

> A polyfill is a piece of code (usually JavaScript on the Web) used to provide modern functionality on older browsers that do not natively support it.

https://developer.mozilla.org/en-US/docs/Glossary/Polyfill

I think we would agree that foreach fits the definition, happy path, and whole purpose of a polyfill.

if you read up on forEach, you will notice that Array.prototype.forEach requires objects to be callable.

https://developer.mozilla.org/en-US/docs/Web/JavaScript/Refe...

whilenot-dev 6 days ago | parent [-]

> I think we would agree that foreach fits the definition, happy path, and whole purpose of a polyfill

I think you got that all wrong and strongly misinterpret "modern functionality" as some generic library here...

Runtimes are developed against a certain spec, in this case ECMAScript, and "modern functionality" is meant as addition to iterations of such a spec. As it happens, iterations of specifications and runtimes are seldomly provided by the same entity, so both are moving forward with newly supported features, or more "modern functionality", individually.

This behavior provokes some difficult challenges for developers. For once, they would like to work against the latest spec with its newest features, but, due to the natural dynamic of various entities doing things in different ways, these developers would also need to support older/other runtimes where such a feature is not (yet) implemented natively. Now, to bridge these supported-feature-gaps developers came up with an interesting concept: Instead of waiting and relying on the runtime to support such a new feature, it might be possible to provide an implementation as workaround, hence the "polyfill".

So, if something A isn't currently in the spec, nor B even proposed or in discussion to be in the spec, nor C provided by any current runtime (and relied upon by developers), then I'd conclude that such a functionality is not considered to be a polyfill, as it isn't to be seen as workaround for the supported-feature-gaps due to the difference in runtimes.

motorest 5 days ago | parent [-]

> I think you got that all wrong and strongly misinterpret "modern functionality" as some generic library here...

I didn't. I am telling you exactly why polyfills exist, and why people use them.

More importantly, I am explaining to you why this scheme is successful.

You don't need to write any wall of text that adds nothing. Read the facts I laid out, and use that to either understand how things work, or don't. It's your choice.

whilenot-dev 5 days ago | parent [-]

I did just explain to you why this "scheme" in the "for-each"[0] package has nothing to do with the forEach method in the Array object[1] - method VS function for once, doesn't implement a spec'ed feature secondly.

More generously, I am explaining to you why your definition of a "polyfill" "is [NOT] successful" and isn't how it's commonly understood.

But you do you, it's fine.

[0]: https://www.npmjs.com/package/for-each

[1]: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Refe...

5 days ago | parent | prev [-]
[deleted]
karel-3d 5 days ago | parent | prev [-]

ljharb has commit rights (edit: maybe? maybe not. not sure) to nodejs itself

https://github.com/nodejs/node/issues/55918

so.. I don't know. if he wanted to bad he would already

nullc 5 days ago | parent | prev | next [-]

> is setting up for a massive, multi-pronged software supplychain attack

The problem with this view is that the JS ecosystem is already doing that all on its own without that particular contributor. (as has the rust ecosystem, which slavishly copied JS' bad practices).

Eliminate the one guy and JS is still pervasively vulnerable to these attacks. The polyfills are the least of it, because at least they should be completely stable and could just be copied into projects. Other dependencies not so much.

6 days ago | parent | prev [-]
[deleted]