Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
karel-3d 6 days ago

to save everyone else a search, it's probably ljharb. (I am not a member of JS community, so, come and attack me.)

Sammi 6 days ago | parent | next [-]

Saga starts here:

https://x.com/BenjaminMcCann/status/1804295731626545547?lang...

https://github.com/A11yance/axobject-query/pull/354

Specifically Ben McCann along with other Svelte devs got tired of him polluting their dependency trees with massive amount of code and packages and called him out on it. He doubled down and it blew up and everyone started migrating away from his packages.

ljharb also does a lot of work on js standards and is the guy you can thank for globalThis. Guy has terrible taste and insists everyone else should abide by it.

karel-3d 6 days ago | parent | next [-]

this specific saga starts 1 year before that, arguably more insane thread

https://github.com/A11yance/aria-query/pull/497

Too 5 days ago | parent | prev [-]

Wow. If this is not laying the foundation for a supply chain attack I don’t know what this is.

sunaookami 6 days ago | parent | prev [-]

Wow that's some deep rabbit hole. This guy gets paid per XY npm downloads and games the system through this. Awful.

karel-3d 6 days ago | parent | next [-]

There is apparently a tool, that you can upload your package.json and it will show you how much dependencies are controlled by ljharb

https://voldephobia.rschristian.dev/

rschristian 2 days ago | parent | next [-]

Ha, was wondering why I started getting a few more stars all of a sudden.

For extra context: I created the tool ~9 months prior to the meltdown as one could vaguely mention an individual trolling over NPM deps and absolutely everyone in the ecosystem with a bit of experience would know who was being referred to, aka, "You Know Who". And, if you dared mention him by name, he'd eventually show up reciting his download counts in endless "appeal to authority"-style arguments, trying to brow-beat people into accepting that he knows more or whatever, ergo, "He Who Must Not Be Named" (at least, if you didn't want him being annoying in your mentions).

There's a number of "-phobia" apps in the ecosystem and given the negative impact he has on dependency trees, it felt fitting to offer a similar, somewhat satirical, app to detect how much of your dependency tree he controlled.

dvfjsdhgfv 6 days ago | parent | prev | next [-]

It looks like if I wanted to install a particular piece of software on many modern websites and I didn't have enough resources to hack node itself, talking to this guy would be a logical choice.

karel-3d 5 days ago | parent [-]

Eh, as much as I think this guy has very weird opinions; if he wanted to cause harm, he would do it many years ago. When I started looking him up, he DOES do a lot of good work in the ecosystem. Which makes this more complex issue.

But, also, he does this "backwards compatibility forever" insanity. I think it's his crusade.

goriv 5 days ago | parent | prev [-]

Damn, I just checked a random express project I built and there are a lot of things underlined in red there. I think the most amazing one is https://www.npmjs.com/package/is-number-object, which has a stupidly large dependency tree.

6 days ago | parent | prev [-]
[deleted]