| ▲ | bob1029 8 hours ago |
| "Batteries included" ecosystems are the only persistent solution to the package manager problem. If your first party tooling contains all the functionality you typically need, it's possible you can be productive with zero 3rd party dependencies. In practice you will tend to have a few, but you won't be vendoring out critical things like HTTP, TCP, JSON, string sanitation, cryptography. These are beacons for attackers. Everything depends on this stuff so the motivation for attacking these common surfaces is high. I can literally count on one hand the number of 3rd party dependencies I've used in the last year. Dapper is the only regular thing I can come up with. Sometimes ScottPlot. Both of my SQL providers (MSSQL and SQLite) are first party as well. This is a major reason why they're the only sql providers I use. Maybe I am just so traumatized from compliance and auditing in regulated software business, but this feels like a happier way to build software too. My tools tend to stay right where I left them the previous day. I don't have to worry about my hammer or screw drivers stealing all my bitcoin in the middle of the night. |
|
| ▲ | dec0dedab0de an hour ago | parent | next [-] |
| Batteries included systems are still susceptible to supply chain attacks, they just move slower so it’s not as attractive of a target. I think packages of a certain size need to be held to higher standards by the repositories.
Multiple users should have to approve changes. Maybe enforced scans (though with trivy’s recent compromise that wont be likely any time soon) Basically anything besides lone developer can decide to send something out on a whim that will run on millions of machines. |
|
| ▲ | afavour 5 hours ago | parent | prev | next [-] |
| Irony is that Node has no need for Axios, native fetch support has been there for years, so in terms of network requests it is batteries included. |
| |
| ▲ | zadikian 11 minutes ago | parent | next [-] | | Node fetch is relatively new. Wasn't marked stable until 2023, though I've used it since like 2018. | |
| ▲ | 12 minutes ago | parent | prev | next [-] | | [deleted] | |
| ▲ | pier25 3 hours ago | parent | prev | next [-] | | People use axios or ky because with fetch you inevitably end up writing a small wrapper on top of it anyway. | | |
| ▲ | zachrip 2 hours ago | parent | next [-] | | Fetch has also lacked support for features that xhr has had for over a decade now. For example upload progress. It's slowly catching up though, upload progress is the only thing I'd choose xhr for. | |
| ▲ | afavour 3 hours ago | parent | prev | next [-] | | Some might say the tradeoff of writing a small wrapper is worth it given what’s been demonstrated here. | | | |
| ▲ | jmull 2 hours ago | parent | prev [-] | | In my experience people feel the need to wrap axios too. |
| |
| ▲ | cyco130 3 hours ago | parent | prev | next [-] | | I'm not sure fetch is a good server-side API. The typical fetch-based code snippet `fetch(API_URL).then(r => r.json())` has no response body size limit and can potentially bring down a server due to memory exhaustion if the endpoint at API_URL malfunctions for some reason. Fine in the browser but to me it should be a no-no on the server. | | |
| ▲ | augusto-moura 3 hours ago | parent [-] | | Hm, I don't think axios would do much better here. `fetch` is the official replacement for axios. If both are flawed that's another topic | | |
| ▲ | cyco130 an hour ago | parent | next [-] | | Axios has maxContentLength and maxBodyLength options. I would probably go with undici nowadays though (it also has maxResponseSize). | |
| ▲ | nailer an hour ago | parent | prev [-] | | > `fetch` is the official replacement for axios. No. Axios is still maintained. They have not deprecated the project in favor of fetch. | | |
| ▲ | augusto-moura 18 minutes ago | parent [-] | | I'm not saying that axios is unmaintained, I'm saying that if you want something like axios from the standard lib, fetch is the closest thing you get to official |
|
|
| |
| ▲ | augusto-moura 3 hours ago | parent | prev | next [-] | | It doesn't have a need _now_. Axios is more than 10 years old now, and even before axios other libraries did the same utility of making requests easier | |
| ▲ | 4 hours ago | parent | prev | next [-] | | [deleted] | |
| ▲ | MBCook an hour ago | parent | prev [-] | | Browsers too. It’s not needed anymore. |
|
|
| ▲ | wongarsu 6 hours ago | parent | prev | next [-] |
| > In practice you will tend to have a few, but you won't be vendoring out critical things like HTTP, TCP, JSON, string sanitation, cryptography Unless you are Python, where the standard library includes multiple HTTP libraries and everyone installs the requests package anyways. Few languages have good models for evolving their standard library, so you end up with lots of bad designs sticking around forever. Libraries are much easier to evolve, giving them the advantage in terms of developer UX and performance. |
| |
| ▲ | paintbox 4 hours ago | parent | next [-] | | What type of developer chooses UX and performance over security? So reckless. I removed the locks from all the doors, now entering/exiting is 87% faster!
After removing all the safety equipment, our vehicles have significantly improved in mileage, acceleration and top speed! | | |
| ▲ | integralid 3 hours ago | parent | next [-] | | >What type of developer chooses UX and performance over security? So reckless. Initially I assumed this is sarcastic, but apparently not. UX and performance is what programmers are paid to do! Making sure UX is good is one of the most important things in programmer job. While security is a moving target, a goal, something that can never be perfect, just "good enough" (if NSA wants to hack you, they will). You make it sound like installing third party packages is basically equivalent to a security hole, while in practice the risk is low, especially if you don't overdo it. Wild to read extreme security views like that, while at the same time there are people here that run unconstrained AI agents with --dangerous-skip-confirm flags and see nothing wrong with it. | |
| ▲ | duskdozer 3 hours ago | parent | prev | next [-] | | "Security" is often more about corporate CYA than improving my actual security as a user, and sometimes in opposition, and there is often blatant disregard for any UX concession at all. The most secure system is fully encrypted with all copies of the encryption key erased. | |
| ▲ | wongarsu 3 hours ago | parent | prev [-] | | Better developer UX can directly lead to better safety. "You are holding it wrong" is a frequent source of security bugs, and better UX reduces the ways you can hold it wrong, or at least makes you more likely to hold it the right way | | |
| ▲ | skydhash 3 hours ago | parent [-] | | Friction is helpful. Putting seatbelts on takes more time than just driving, but it’s way safer for the driver. Current dev practices increase speed, not safety. |
|
| |
| ▲ | nicce 3 hours ago | parent | prev | next [-] | | > Unless you are Python, where the standard library includes multiple HTTP libraries and everyone installs the requests package anyways. The amount of time defining same data structures over and over again vs `pip install requests` with well defined data structures. | |
| ▲ | seunosewa an hour ago | parent | prev | next [-] | | requests should be in the Python standard library. Hard choices need to be made. | |
| ▲ | ptx 6 hours ago | parent | prev [-] | | I'm pretty sure it's really one HTTP library: urllib.request is built on top of http.client. But the very Java-inspired API for the former is awful. |
|
|
| ▲ | cozzyd an hour ago | parent | prev | next [-] |
| or you don't use a package manager where anyone can just publish a package (i.e. use your system package manager). There is still some risk, but it is much smaller. Like, if xz were distributed by PyPI or NPM, everyone would have been pwned, but instead it was (barely) found. It's true that system repos doesn't include everything, but you can create your own repositories if you really need to for a few things. In practice Fedora/EPEL are basically sufficient for my needs. Right now I'm deploying something with yocto, which is a bit more limited in slection, but it's pretty easy to add my own packages and it at least has hashes so things don't get replaced without me noticing (to be fair, I don't know if the security practices of open-embedded recipes are as strong as Fedora...). |
| |
| ▲ | calvinmorrison an hour ago | parent [-] | | it's muddying what a package is. A package, or a distro, is the people who slave and labor over packaging, reviewing, deciding on versions to ship, having policies in place, security mailing lists, release schedules, etc. just shipping from npm crap is essentially the equivelant of running your production code base against Arch AUR pkgbuilds. |
|
|
| ▲ | zdc1 7 hours ago | parent | prev | next [-] |
| The other thing that keeps coming up is the github-code-is-fine-but-the-release-artifact-is-a-trojan issue. It really makes me question if "packages" should even exist in JavaScript, or if we could just be importing standard plain source code from a git repo. I understand why this doesn't work well with legacy projects, but it's something that the language could strive towards. |
| |
| ▲ | EMM_386 3 hours ago | parent | next [-] | | This might make things worse not better. Yes - the postinstall hook attack vector goes away. You can do SHA pinning since Git's content addressing means that SHA is the hash of the content. But then your "lockfile" equivalent is just... a list of commit SHAs scattered across import statements in your source? Managing that across a real dependency tree becomes a nightmare. This is basically what Deno's import maps tried to solve, and what they ended up with looked a lot like a package registry again. At least npm packages have checksums and a registry that can yank things. | |
| ▲ | embedding-shape 6 hours ago | parent | prev [-] | | > I understand why this doesn't work well with legacy projects, but it's something that the language could strive towards. Why wouldn't that work well with legacy projects? In fact, the projects I was a part of that I'd call legacy nowadays, was in fact built by copy-and-pasting .js libraries into a "vendor/" directory, and that's how we shipped it as well, this was in the days before Bower (which was the npm of frontend development back in the day), vendoring JS libs was standard practice, before package managers became used in frontend development too. Not sure why it wouldn't work, JavaScript is a very moldable language, you can make most things work one way or another :)( |
|
|
| ▲ | tliltocatl 2 hours ago | parent | prev | next [-] |
| I agree that dependencies are a liability, but, sadly, "batteries included" didn't work out for Python in practice (i. e. how do I even live without numpy? No, array aren't enough). |
| |
| ▲ | jcgl an hour ago | parent [-] | | To the extend that Python is indeed "batteries included," that seems true. But just how "batteries included" is it? I'd argue that its batteries are pretty limited. Exhibit A: everybody uses the third-party requests instead of the stdlib urllib. Exhibit B: http.server isn't a production-ready webserver, so people use Flask or something beefier. I'd contrast Python with Go, which has an amazing stdlib for the domains that Go targets. This last part is key--Go has a more focused scope than Python, and that makes it easier for its stdlib to succeed. | | |
| ▲ | seunosewa an hour ago | parent [-] | | We could have different Python package bundles: Python base. Python webdev. Python desktop. |
|
|
|
| ▲ | Lord_Zero 2 hours ago | parent | prev | next [-] |
| So, youre on Microsoft then, judging by ScottPlot you write .NET desktop apps. If you use Dapper, you probably use Microsoft.Data.SqlClient, which is... distributed over NuGet and vulnerable to supply chain attack. You may not need many deps as a desktop dev. Modern day line of business apps require a lot more deps. CSVHelper, ClosedXML, AutoMapper, WebOptimizer,
NetEscapades.AspNetCore.SecurityHeaders. Yes less deps people need the better but it doesn't fix trhe core problem. Sharing and distrib uting code is a key tenant of being able to write modern code. |
|
| ▲ | 14 minutes ago | parent | prev | next [-] |
| [deleted] |
|
| ▲ | binsquare 18 minutes ago | parent | prev | next [-] |
| yep! This is exactly the world I'm working towards with packaging tooling with a virtual machine i.e. electron but with virtual machines instead so the isolation aspect comes by default. |
|
| ▲ | raincole 2 hours ago | parent | prev | next [-] |
| Different programmers have very different ideas about what is "all the functionality you typically need." |
|
| ▲ | junon 8 hours ago | parent | prev | next [-] |
| This is a rather superlative and tunnel vision, "everything is a nail because I'm a hammer" approach. The truth is this is an exceedingly difficult problem nobody has adequately solved yet. |
| |
| ▲ | bbkane 4 hours ago | parent [-] | | I think the AI tooling is, if not completely solving sandboxing, at least making the default much better by asking you every time they want to do something and providing files to auto-approve certain actions. Package managers should do the same thing | | |
| ▲ | hectdev 3 hours ago | parent | next [-] | | Another layer of AI tooling is the cost of spinning up your own version of some libraries is lowered and can be made hyper specific to your needs rather than pulling in a whole library with features you'll never use. | |
| ▲ | nailer an hour ago | parent | prev [-] | | > at least making the default much better by asking you every time they want to do something Really? I thought 'asking you every time they want to do something' was called 'security fatigue' and generally considered to be a bad thing. Yes you can concatenate files in the current project, Claude. | | |
| ▲ | bbkane an hour ago | parent [-] | | Yes it has to be combined with a robust way to allowlist actions you trust |
|
|
|
|
| ▲ | mrsmrtss 7 hours ago | parent | prev | next [-] |
| Fully agree with this! I think today .NET is probably the most batteries included platform you can get. This means that even if you use third-party libraries, these typically depend only on first-party dependencies, making it much less likely for something shady to sneak in. |
| |
| ▲ | pier25 3 hours ago | parent | next [-] | | Kinda. With Bun I use less dependencies from NPM than I used from Nuget with .NET to build minimal apis. For example the pg driver. | |
| ▲ | raddan 4 hours ago | parent | prev | next [-] | | With the notable exception of cross-platform audio. | | |
| ▲ | duped 2 hours ago | parent [-] | | Not really notable, aiui the only mainstream language with anything like that is JS in the browser And for good reason. There are enough platform differences that you have to write your own code on top anyway. |
| |
| ▲ | Imustaskforhelp 7 hours ago | parent | prev | next [-] | | To me, I really like Golang's batteries included platform. I am not sure about .NET though | | |
| ▲ | jeswin 5 hours ago | parent [-] | | C#'s LINQ (code as data, like LISP) wins over golang for any type of data access. Strongly-typed, language-native queries. Go has its own advantages though. | | |
| |
| ▲ | jeswin 5 hours ago | parent | prev [-] | | And now with NativeAOT, you can use C# like go - you don't need to ship the CLR. |
|
|
| ▲ | troad 5 hours ago | parent | prev | next [-] |
| What are some examples of batteries-included languages that folk around here really feel productive in and/or love? What makes them so great, in your opinion? (Leaving aside thoughts on language syntax, compile times, tooling etc - just interested in people's experiences with / thoughts on healthy stdlibs) |
| |
| ▲ | bbkane 4 hours ago | parent | next [-] | | Go is well known for its large and high quality std lib | | |
| ▲ | philipwhiuk 2 hours ago | parent [-] | | Go didn't even have versioning for dependencies for ages, so CVE reporting was a disaster. And there's plenty of libraries you'll have to pull to get a viable product. |
| |
| ▲ | pyjarrett 5 hours ago | parent | prev [-] | | These are the big ones I use, specifically because of the standard libraries: Python (decent standard library) - It's pretty much everywhere. There's so many hidden gems in that standard library (difflib, argparse, shlex, subprocess, cmd) C#/F# (.NET) C# feels so productive because of how much is available in .NET Core, and F# gets to tag along and get it all for free too. With C# you can compile executables down to bundle the runtime and strip it down so your executables are in the 15 MiB range. If you have dotnet installed, you can run F# as scripts. | | |
| ▲ | troad 4 hours ago | parent [-] | | These are definitely some good thoughts, thanks! Do you worry at all about the future of F#? I've been told it's feeling more and more like a second-class citizen on .NET, but I don't have much personal experience. | | |
| ▲ | pyjarrett an hour ago | parent [-] | | I used to, but the knowledge of .NET seems mostly transferrable to C#. It's super useful to do `dotnet fsi` and then work out the appropriate .NET calls in the F# repl. |
|
|
|
|
| ▲ | gedy 5 hours ago | parent | prev | next [-] |
| > "Batteries included" ecosystems are the only persistent solution to the package manager problem. The irony in this case is that axios is not really needed now given that fetch is part of the JS std lib. |
|
| ▲ | invaliduser 6 hours ago | parent | prev | next [-] |
| For a lot of code, I switched to generating code rather than using 3rd party libraries.
Things like PEG parsers, path finding algorithms, string sanitizers, data type conversion, etc are very conveniently generated by LLMs. It's fast, reduces dependencies, and feels safer to me. |
| |
| ▲ | troad 6 hours ago | parent | next [-] | | Ah, so you've traded the possibility of bad dependencies for certainty. | | |
| ▲ | raddan 4 hours ago | parent | next [-] | | Remember, our objective function here is “feels safe.” | |
| ▲ | invaliduser 4 hours ago | parent | prev [-] | | How can you come to that conclusion, given the specific examples I have given, which are tedious to write, but easy to proof-read and test? | | |
| |
| ▲ | tzs 4 hours ago | parent | prev [-] | | Or find the best third party library and copy the code from a widely used version that has been out long enough to have been well tested into your source tree. The problem is not third party libraries. It is updating third party libraries when the version you have still works fine for your needs. | | |
| ▲ | estebank 2 hours ago | parent [-] | | Don't do this. Use a package manager that let's you specify a specific version to pin against. Vendoring side steps most automated tooling that can warn you about vulnerabilities. Vendoring is a signal that your tooling is insufficient, 99% of the time. |
|
|
|
| ▲ | christophilus 7 hours ago | parent | prev | next [-] |
| Honestly, you can get pretty far with just Bun and a very small number of dependencies. It’s what I love most about Bun. But, I do agree with you generally. .NET is about as good as I’ve ever seen for being batteries included. I just hate the enterprisey culture that always seems to pervade .NET shops. |
| |
| ▲ | bob1029 7 hours ago | parent [-] | | I agree about the culture. If I take my eye off the dev team for too long, I'll come back and we'll be using entity framework and a 20 page document about configuring code cleanup rules in visual studio. | | |
|
|
| ▲ | pier25 3 hours ago | parent | prev | next [-] |
| I agree. Got downvoted a lot the other day for proposing Node should solve fundamental needs. |
|
| ▲ | TZubiri 3 hours ago | parent | prev | next [-] |
| But javascript is batteries included in this case, you can use xmlhttprequest or fetch |
|
| ▲ | philipwhiuk 2 hours ago | parent | prev | next [-] |
| Language churn makes this problem worse. Frankly inventing a new language is irresponsible these days unless you build on-top of an existing ecosystem because you need to solve all these problems. |
|
| ▲ | gib444 7 hours ago | parent | prev [-] |
| What kind of apps do you build / industry etc? |
