why don't web devs just learn html and css properly, and maybe xslt for the really complex transformations then use vanilla js only when it's truly necessary?

instead we've got this absolute mess of bloated, over-engineered junk code and ridiculously complicated module systems.

▲

venturecruelty 30 minutes ago | parent | next [-]

Because then how would they pay their inflated Bay Area rent?

▲

vorticalbox 5 hours ago | parent | prev | next [-]

the issue is not that devs don't know what they are its that they don't pin packages

if you run `npm i ramda` it will set this to "ramda": "^0.32.0" (as of comment)

that ^ means install any version that is a feature or patch.

so when a package is released with malware they bump version 0.32.1 and everyone just installs it on next npm i.

pinning your deps "ramda": "0.32.0" completely removes the risk assuming the version you listed is not infected.

the trade off is you don't get new features/patches without manually changing the version bump.

▲

christophilus 5 hours ago | parent | next [-]

> the trade off

I see that as a desirable feature. I don’t want new functionality suddenly popping into my codebase without one of my team intending it.

	▲	vorticalbox 3 hours ago \| parent [-]
		me too but a lot of people see it as massive overhead they don't want to deal with. personally i pin all mine because if you don't a version could be deployed during a pipeline and this makes your local version not the same as the one in docker etc. pinning versions is the only way to be sure that the version I am running is the same as everyone elses

▲

dboreham 4 hours ago | parent | prev [-]

For context: ramada 0.32.0 isn't a concrete thing, in the sense that glibc 2.35 is. It really means "the latest ramada code because if you were to pin on this version it'll at some point stop working". glibc 2.35 never stops working.

▲

lexicality 4 hours ago | parent | prev [-]

Good luck with the XSLT going forward what with Google trying to remove it from the internet.