| |
| ▲ | brobdingnagians 5 hours ago | parent | next [-] | | Lots of languages ecosystems have this problem, but it is especially prominent in JS and lies on a spectrum. For comparison, in the C/C++ ecosystem it is prominent to have libraries advertising that they have zero dependencies and header only or one common major library like Boost. | |
| ▲ | RUnconcerned 5 hours ago | parent | prev | next [-] | | What other language ecosystems have had this happen systematically? This isn't even the first time this month! | | | |
| ▲ | cedws 3 hours ago | parent | prev | next [-] | | The JavaScript ecosystem has a major case of import-everything disease that acts as a catalyst for supply chain attacks. left-pad as one example of many. | |
| ▲ | 5 hours ago | parent | prev | next [-] | | [deleted] | |
| ▲ | lithos 5 hours ago | parent | prev | next [-] | | Just more engineering leaning than you. Actual engineers have to analyze their supply chains, and so makes sense they would be baffled by NPM dependency trees that utterly normal projects grow into in the JavaScript ecosystem. | | |
| ▲ | Lumping6371 16 minutes ago | parent | next [-] | | Good thing that at scale, private package repositories or even in-house development is done. Personally, I would argue that an engineer unable to tell apart perfect from good, isn't a very good engineer in my book, but some engineers are unable to make compromises. | |
| ▲ | zachrip 5 hours ago | parent | prev [-] | | Do you think companies using node don't analyze supply chains? That's nonsense. Have you cargo installed a rust app recently? This isn't just a js issue. This needs to be solved across the industry and npm frankly has done a horrible job at it. We let people with billions of downloads a month with recently changed password/2fa publish packages? Why don't we pool assets as a collective to scan newly published packages before they're allowed to be installed? These types of things really should exist across all package registries (and my really hot take is that we probably don't need a registry for every language, either!). | | |
| ▲ | pclmulqdq 3 hours ago | parent | next [-] | | It is solved across the industry for those who care. If you use cargo, npm, or a python package manager, you may have a service that handles static versioning of dependencies for security purposes. If you don't, you aren't generally working in a language that encourages so much package use. | |
| ▲ | LaGrange 3 hours ago | parent | prev [-] | | > Do you think companies using node don't analyze supply chains? I _know_ many don’t. In fact suggesting doing it is a good way to be looked at like a crazy person and be told something like “this is a yes place not a no place.” |
|
| |
| ▲ | hsbauauvhabzb 5 hours ago | parent | prev | next [-] | | That they’ve coded in more than one language? | |
| ▲ | Aeolun 5 hours ago | parent | prev [-] | | I think it’s just that a lot of old men don’t like how popular it has become with script kiddies. |
|
| |
| ▲ | komali2 5 hours ago | parent [-] | | Pause, you could write an HTML to markdown library in half a day? Like, 4 hours? Or 12? Either way damn | | |
| ▲ | epolanski 5 hours ago | parent [-] | | One that gets me 90% there would take me few hours, one that gets me 99% there few months, which is why eventually people would rather pull a dependency. | | |
| ▲ | williamcotton 5 hours ago | parent [-] | | Or about 15 minutes with an LLM? https://github.com/williamcotton/markdown-to-html-llm ;)
| | |
| ▲ | epolanski 4 hours ago | parent | next [-] | | I love how it took you very short to implement...the wrong thing. > I myself just the other day had the task of converting HTML to markdown > you could write an HTML to markdown library in half a day | | |
| ▲ | williamcotton 3 hours ago | parent [-] | | LOL! Good point, my friend. | | |
| ▲ | williamcotton 3 hours ago | parent [-] | | Claude Code just added support for HTML to Markdown. Seems to work? | | |
| ▲ | epolanski 3 hours ago | parent [-] | | In any case, not following the point you're trying to make. | | |
| ▲ | williamcotton 2 hours ago | parent [-] | | LLMs are pretty good at greenfield projects and especially if they are tasked with writing something with a lot of examples in the training data. This approach can be used to solve the problem of supply-chain attacks with the downside being that the code might not be as well written and feature complete as a third-party package. | | |
|
|
|
| |
| ▲ | neilv 5 hours ago | parent | prev [-] | | In less time than that, you could `git clone` the desired open source package, and text search & replace the author's name with your own. | | |
| ▲ | williamcotton 4 hours ago | parent [-] | | And then still be subject to supply-chain attacks with all of the dependencies in whatever open source package you're cloning? | | |
| ▲ | xrisk 2 hours ago | parent [-] | | you are aware that the app you just wrote with Claude pulls in dependencies, yes? | | |
| ▲ | williamcotton 2 hours ago | parent [-] | | Not for the parser, only for the demo server! And I guess the dev dependencies as well, but with a much smaller surface area. But yeah, I don't think a TypeScript compiler is within the scope of an LLM. |
|
|
|
|
|
|
|
| |
| ▲ | Xelbair 6 hours ago | parent | next [-] | | as much as i can yes. I try to avoid JS, as it is a horrible language, by design. That does include TS, but it at least is useable, but barely - because it still tied to JS itself. | | |
| ▲ | diggan 6 hours ago | parent | next [-] | | Off-topic, but I love how different programmers think about things, and how nothing really is "correct" or "incorrect". Started thinking about it because for me it's the opposite, JS is an OK and at least usable language, as long as you avoid TS and all that comes with it. Still, even I who'd call myself a JavaScript developer also try to avoid desktop applications made with just JS :) | | |
| ▲ | Xelbair 5 hours ago | parent | next [-] | | JS's issue is that it allows you to run an objectively wrong code without throwing explicit error to the user, it just fails silently or does something magical. Seems innocent, until you realize what we use JS for, other than silly websites or ERP dashboards. It is full of gotchas that serves 0 purpose nowadays. Also remember that it is basically a Lisp wearing Java skin on top, originally designed in less than 2 weeks. Typescript is one of few things that puts safety barrier and sane static error checking that makes JS bearable to use - but it still has to fall down to how JS works in the end so it suffers from same core architectural problems. | | |
| ▲ | diggan 5 hours ago | parent [-] | | > JS's issue is that it allows you to run an objectively wrong code without throwing explicit error to the user, it just fails silently or does something magical. Seems innocent, until you realize what we use JS for, other than silly websites or ERP dashboards. What some people see as a fault, others see as a feature :) For me, that's there to prevent entire websites from breaking because some small widget in the bottom right corner breaks, for example. Rather than stopping the entire runtime, it just surfaces that error in the developer tools, but lets the rest to continue working. Then of course entire web apps crash because one tiny error somewhere (remember seeing a blank page with just some short error text in black in the middle? Those), but that doesn't mean that's the best way of doing things. > Also remember that it is basically a Lisp wearing Java skin on top I guess that's why I like it better than TS, that tries to move it away from that. I mainly do Clojure development day-to-day, and static types hardly ever gives me more "safety" than other approaches do. But again, what I do isn't more "correct" than what anyone else does, it's largely based on "It's better for me to program this way". | | |
| ▲ | Xelbair 5 hours ago | parent [-] | | >it's there to prevent entire websites from breaking because some small widget in the bottom right corner breaks, for example. the issue is that it prevents that, but also allows you to send complete corrupt data forward, that can create horrible cascade of errors down the pipeline - because other components made assumption about correctness of data passed to them. Such display errors should be caught early in development, should be tested, and should never reach prod, instead of being swept under the rug - for anything else other than prototype. but i agree - going fully functional with dynamic types beats average JS experience any day.
It is just piling up more mud upon giant mudball, |
|
| |
| ▲ | eitland 4 hours ago | parent | prev [-] | | > JS is an OK and at least usable language, as long as you avoid TS and all that comes with it. Care to explain why? My view is this: since you can write plain JS inside TS (just misconfigure tsconfig badly enough), I honestly don’t see how you arrive at that conclusion. I can just about understand preferring JS on the grounds that it runs without a compile step. But I’ve never seen a convincing explanation of why the language itself is supposedly better. |
| |
| ▲ | hoppp 5 hours ago | parent | prev | next [-] | | Lucky you. I keep coming back to it because jobs and even for desktop apps a native webview beats everything else. We fcked up with js, big time and its with us forever now | | |
| ▲ | koakuma-chan 5 hours ago | parent | next [-] | | For game dev too - all game engines suck. <canvas/> FTW. | |
| ▲ | sfn42 4 hours ago | parent | prev [-] | | I was hyped for wasm because i thought it was supposed to solve this problem, allowing any programming language to be compiled to run in browsers. But apparently they only made it do like 95% of what JS does so you can't actually replace js with it. To me it seems like a huge blunder. I don't give a crap about making niche applications a bit faster, but freeing the web from the curse of JS would be absolutely huge. And they basically did it except not quite. It's so strange to me, why not just go the extra 5%? | | |
| ▲ | lyu07282 9 minutes ago | parent | next [-] | | That 5% of js glue code necessary right now is just monumentally difficult to get rid of, it's like a binary serialization / interface (ABI) of all DOM/BOM APIs and these APIs are huge, dynamic, callback-heavy and object-oriented. It's much easier to have that glue compiler generated, which you can already do right now (you can write your entire web app in rust if you want): https://github.com/wasm-bindgen/wasm-bindgen
https://docs.rs/web-sys/latest/web_sys/ This is also being worked on, in the future this 5% glue might eventually entirely disappear: > Designed with the "Web IDL bindings" proposal in mind. Eventually, there won't be any JavaScript shims between Rust-generated wasm functions and native DOM methods | |
| ▲ | hoppp 4 hours ago | parent | prev [-] | | Maybe its something about sharing memory with the js that would introduce serious vulnerabilities so they can't let wasm code have access to everything. The only way to remove Js is to create a new browser that doesn't use it. Fragments the web, yes and probably nobody will use it |
|
| |
| ▲ | kaiomagalhaes 5 hours ago | parent | prev [-] | | out of sincere curiosity, which one is a great programming language to you? | | |
| ▲ | Xelbair 5 hours ago | parent [-] | | depends on use case, i don't think one language can fit all cases. 100% correctness is required for systems, but it is a hindrance in non-critical systems. or robust type systems require high compilation times which hurt iterating on the codebase. systems? rust - but it is still far from perfect, too much focus on saving few keystrokes here and there. general purpose corporate development? c# - despite current direction post .net 5 of stapling together legacy parts of .net framework to .net core. it does most things good enough. scripting, and just scripting? python. web? there's only one, bad, option and that's js/ts. most hated ones are in order: js, go, c++, python. go is extremely infuriating, there was a submission on HN that perfectly encapsulated my feelings about it, after writing it for a while: https://fasterthanli.me/articles/i-want-off-mr-golangs-wild-... | | |
|
| |
| ▲ | 5 hours ago | parent | prev | next [-] | | [deleted] | |
| ▲ | shkkmo 5 hours ago | parent | prev | next [-] | | You can write javascript without using npm... | |
| ▲ | Arch-TK 6 hours ago | parent | prev [-] | | I mean, it's hard to avoid indirectly using things that use npm, e.g. websites or whatever. But it's pretty easy to never have to run npm on your local machine, yes. |
|
