Ranter
Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
Comments
-
benj8831yThere’s this archaic language that uses some weird symbols like <form>
Legend has it that that was all was needed! Such fantasies! -
benj8831yI know! Why would anybody use a tag when you can make you app 100x slower! It’s inconceivable! 🤣
-
To view any HTML5 form you need thousands of packages made by cities' worth of people over the course of 30 years, it's just neatly packaged as a web browser. The NPM ecosystem is terrible but the reason isn't the many thousands of packages that correctly follow separation of concerns.
-
@Root GCC alone is 150mb. Luckily, dev toolchains are optimized for entirely different targets from the applications themselves.
-
Root826021y@lorentz That’s fair, it is the entire toolchain, and most of it isn’t bundled with your built application.
-
benj8831yFor me is not only the size, is the black hole of unknown that is there. The size of gcc or the size of a 4k movie are not really code that runs without you knowing what is doing. Gcc compiles you program and it one is paranoid it is possible to disassemble it and see what is doing, a 4k movie doesn’t (hopefully) run any arbitrary code. But 100+ npm packages is something that is being used not only to build the app but also delivered with it and thus one takes responsibility of it. With the sheer amount of dependencies and dependencies to dependencies not a lot of people keep an eye of those 200mb of code for a simple react app, and it has bitten us before in the back!
https://theregister.com/2022/02/... -
benj8831y@dder that’s fair. The difference with NPM IMHO is one of obscurity and probably why it’s become a target for malware and it has gotten away with it. With the nodejs ecosystem you have software tuning software running software running software (from react code being processed by jsx to sass processed by some lib in rust to all that output packaged and then minified to finally running in the browser to the browser running in an OS). And it’s quite cumbersome to audit all the layers. Also adding/modifying packages in NPM is trivial.
For a C lib, yes, anybody can pull some random header from GitHub with all kinds of malware, but that’s not usually how they are distributed. Either libraries are compiled statically or they are distributed by things like brew or apt-get or yum, in Linux and other OS package managers, and the barrier of entry there is a lot higher. Heck, I’m aware of devs that don’t use anything that hasn’t been out here for at least 20+ years! -
dder23231y@mansur85 yeah, why is npm worse then?
@benj I do agree that it’s trivial to publish an npm package. But it is rather hard to get people to use it, ie build a community around it. Once you have a community and maintainers, etc, it gets harder to publish malicious code, because more eyes are watching.
Again, this is ecosystem and language agnostic.
Sure it might be easier for bug to be present if you have a build system of many tools, but that is similar to even auto tools or cmake, make, ninja, …
Related Rants
to create a fucking form in react, i need to install 199+ packages fuck that.
devrant
react