susaverage day in NPM land
BjörnLink to the PR? The PR description and the comment somehow contradict each other. Or I am stupid. Or the commenter.
fix: replace is-number dep with a one-liner by talentlessguy · Pull Request #17 · micromatch/to-regex-range
This PR replaves is-number package with a one-liner with identical code. It passes all the tests (npm run test). This tiny change saves 440GB weekly traffic: Package size report ===================...
Thanks!
What a shit show.
440GB weekly for “is number”. What in the world is that package doing?
GammaIt handles a bunch of weird edge cases, mostly. And is downloaded almost 70M times a week!
Admiral PatrickSadly, it’s a stupid dependency of a lot of things.
Just ran npm explain is-number on one of my projects, and it’s a dependency of to-regex-range which is a dependency of fill-range which is a dependency of…and so on up the chain.
I was hoping I wouldn’t find that in there, but alas, it is.
apotheotic (she/her)Given that this screenshot is about
to-regex-range I think they might be on to something!
🤦♂️😆
Didn’t even catch that in the screenshot. lol
I don’t get the concept that depending on 7 lines of code from a third-party package is remotely acceptable. It’s expanding the potential attack surface to save a dev from templating 7 lines of boilerplate. There’s no net benefit or appreciable time saved.
I’m glad I don’t have to deal with this regularly.
ETA: The package is even MIT licensed! There’s no excuse but laziness and not wanting to understand the code to import this rather than inlining or implementing a novel version. If I can spend the time to write:
if err != nil { slog.Warn("well shit", "error", err) return err }after every function call…I just didn’t get it.
You’re right, it’s not sane! The js ecosystem is hell
is-number is a one-line function. You may have heard of a similar “microdependency” called is-even. When you use an NPM package, you also need all the dependencies of that package, and their dependencies recursively. Each package has some overhead, eventually leading to this moment in time.
sparkleWeb bloat in a nutshell and why we need to switch to things like Web Assembly more than ever. It’s not WASM, but I used Laminar which is a Scala.js library, and it’s the absolute pinnacle of (frontend) web development. Scala in general is just really great for idiomatic web code.
Another amazing alternative would be anything Rust. In fact I’ve used that much more than Scala for web. I’ve mainly used Leptos for full-stack and and Actix for backend, but I’ve seen Dioxus and Axum in good use and they both seem really great too.
Apparently Lemmy uses Leptos so… that’s a +1.
I feel like this is completely avoidable bloat.
You could quite easily create this bloat in any language
I’m not sure, this is a valid estimate. If they were to replace is-number with its contents, that would mean that the economy is only in HTTP-related overhead.
It maybe will make difference because of building phase, lock-files, package-files, but I am not sure that data-traffic difference is that big
Another day of being extremely thankful I decided not to learn JavaScript
I mean, the people relying on such packages didn’t learn it either.
zqwzzleI only glossed over it… but this looks like it’s trying to check dynamic typing issues? It’s like a statically typed language with extra steps?
I don’t think typescript exists because JavaScript wasn’t designed to be statically typed. I think Typescript exists because JavaScript wasn’t really designed, period.
This can happen in any project that uses dependencies, javascript or not
darklamerSure, but when was the last time you saw, say, a Python project using some third-party library instead of simply calling isnumeric() from the standard library?
Python has other stupid problems related to pip. As much as stupid micro-dependencies suck on Javascript, they’re not the shitshow managing dependencies in Python is. It’s an inefficiency that never actually caused me noticeable issues in my former webdev life.
And let’s not talk about C++… People reinvent all sorts of wheels all the time because sharing anything is so annoying.
lol just use a virtual environment, it’s the default now anyways
I know it is, and I find it to be a pretty ridiculously complex fix for a self-inflicted wound.
The disruption it’s caused me outweighs by far any minor inconvenience with the multiplication or micro packages in the NodeJS world. There’s that, and the Python 2 vs 3 shitshow from which the world still hasn’t fully recovered from yet.
I mean it: Python has no business laughing at Javascript. Get your act together, snek 😜
And let’s not talk about C++…
Don’t worry, people make plenty of jokes about C++ too.
Hell, people joke about my favourite language too - Cargo build times are a meme unto themselves.
I don’t think there’s a truly great dependency management system there. Though all in all, I’ve generally had no MAJOR issues with Cargo, Maven or Gradle.
How’s the view up there on your high horse?
Must be pretty good, considering literally every time I check in on the JavaScript community it is somehow more on fire than it was last time. I guess I must have a front row seat to all their misfortune. Either that or they’re just incompetent, but it couldn’t be that, could it?
Look at what you’re missing!
These are both made by the same person from this PR (who made both the package the PR is on, and the is-number package that is being removed as a dep)
JackbyDevHeaven forbid they make a package
is-even-or-odd with both. Wait. Don’t give them ideas. They’ll just make it depend on both.
AatubeNote that the PR was later merged by a member who got fed up with his colleagues.
And who hasn’t contributed any code to this particular repo (according to github insights).
Not familiar with this exact team, but a skilled reviewer/issue triager is useful. We can hope this person at least tested the changes.
The person who opened the pr already did
I’ve literally told my coworkers “I’m not saying we should never use dependencies. But every time you add a dependency, you should hate yourself a little bit more. Some self flagellation can’t hurt either.”
One of the (few) good things about corporate bureaucracy is that if I want to use a new dependency, I have to double check the licence and if it has any restrictions, I need to tell my PM or release engineer to create a new request with legal who will get back to us in 2-3 weeks.
So, every time I use a library to recognize patterns on a picture, to interact with Kafka, do some SSL, or do database mapping, I should hate myself, noted
We did Elastic API integration in Java by creating and maintaining huge half-codegenerated transformer from code to Elasticsearch’s JSONs, it was a pain and it was source of more than one error
Dependences should be reviewed and audited to make sure they do what you need and they are worth using. Just making everything in-house gets you nowhere most of the time
Nobody is arguing that you should never depend on anything and create everything yourself, but adding a dependency for literally a one liner function is awful. Like one of the Go proverbs goes, a little copying is better than a little dependency.
Yeah, there’s mention of doing the opposite in C++ community in a neighbouring thread
You code in Java, of course you should self flagellate on a daily basis just for that. The entire ecosystem is completely fucked.
Joke’s on you, I code in Rust
Then the joke is very much on us.
To be fair, it wasn’t ecosystem that made want to abandon Java, but now I can see it should’ve :)
That is what they were getting at by some self flagellation can’t hurt either. That sometimes “hating yourself” (adding dependencies) is worth it.
I read it as “also throw in some physical pain cause just feeling bad is not quite enough” 🤔
It looks like “is-number” was never more than a few simple lines of code. It still has 68 million downloads per week.
is-number
Returns true if a number or string value is a finite number. Useful for regex matches, parsing, user input, etc.. Latest version: 7.0.0, last published: 6 years ago. Start using is-number in your project by running `npm i is-number`. There are 2708 other projects in the npm registry using is-number.
What a sassy package depency
is-number is a project by John Schlinkert. John has a background in sales and marketing before he became an open source programmer and started creating these types of single function packages. So far he has about 1400 projects. Not all of them are this small, though many are.
He builds a lot of very basic functionality packages. Get the first n values from an array. Sort an array. Set a non-enumerable property on an object. Split a string. Get the length of the longest item in an array. Check if a path ends with some string. It goes on and on.
If you browse through it’s not uncommon to find packages that do nothing but call another package of his. For example, is-valid-path provides a function to check if a windows path contains any invalid characters. The only thing it does is import and call another package, is-invalid-path, and inverses its output.
He has a package called alphabet that only exports an array with all the letters of the alphabet. There’s a package that provides a list of phrases that could mean “yes.” He has a package (ansi-wrap) to wrap text in ANSI color escape codes, then he has separate packages to wrap text in every color name (ansi-red, ansi-cyan, etc).
To me, 1400 projects is just an insane number, and it’s only possible because they are all so trivial. To me, it very much looks like the work of someone who cares a lot about pumping up his numbers and looking impressive. However the JavaScript world also extolled the virtues of these types of micro packages at some point so what do I know.
NotNotMikeWow you’re right, he’s the author of the infamous “is-odd” and “is-even” packages. What an odd person.
Someone in the OP PR mentioned the amount of energy used to download these tiny packages and its actually something crazy to think about
It makes you wonder why anyone uses them though, since so many of them do things that are trivial in modern JavaScript.
And anyone who has been around for a while should remember when
left-pad broke node.js. Including unnecessary dependencies, instead of writing trivial code is just bad practice.
To me, 1400 projects is just an insane number, and it’s only possible because they are all so trivial.
Holy shit. I’m going to have to go through my team’s dependencies. I don’t feel confident that someone “maintaining” that many projects is going to be able to keep all bad actors at bay. Not to mention, none of the examples of his libraries that I’ve seen SHOULD be libraries.
It’s kind of insane how bad this whole is-number thing is. It’s designed to tell you if a string is numeric, but I would argue if you’re ever using that you have a fundamental design problem. I hate dynamic typing as much as anyone else, but if forced to use it I would at least try to have some resemblance of sanity by just normalizing it to an actual number first.
Just fucking do this…
const toRegexRange = (minStr, maxStr, options) => { const min = parseInt(minStr, 10); const max = parseInt(maxStr, 10); if (isNaN(min) || isNaN(max)) throw Error("bad input or whatever"); // ...Because of the insanity of keeping them strings and only attempting to validate them (poorly) up front you open yourself up to a suite of bugs. For example, it took me all of 5 minutes to find this bug:
toRegexRange('+1', '+2') // returns "toRegexRange('+1', '+2')" which is not valid regexpThe problem is the underlying API.
parseInt(“550e8400-e29b-41d4-a716-446655440000”, 10) (this is a UUID) returns 550. If you’re expecting that input to not parse as a number, then JavaScript fails you. To some degree there is a need for things to provide common standards. If your team all understands how parseInt works and agrees that those strings should be numbers and continues to design for that, you’re golden.
Yeah good point. I suppose the problem is this function that operates on numbers allows numeric strings to be passed in in the first place. The only place where I would really expect numeric strings to exist is captured directly from user input which is where the parsing into a numeric data type should happen, not randomly in a library function.
UndercoverUlrikHDThe only two people arguing against the change were both authors/contributors of is-number lol
BaleineHow many contributors could there possibly be
Is it because they included a crypto miner in the package?
ChaoticNeutralCzechIf you think
is-number can be replaced with a one-liner, you don’t have the enterprise code mindset. What if the world gets more inclusive and MMXXIV, ½ and ⠼⠁ become recognized as numbers?
It’s simple ⅯⅯⅩⅩⅣis a number, MMXXIV is not.