You typical Node project
-
Be the change you want to see in the world, people. Don't use any Node (or Rust or Python or Java or whatever) modules that have more dependencies than they absolutely, positively, 100%, for real have to. It's really not that hard. It doesn't have to be this way.
Which sounds like great, practical advice in a theoretical perfect world!
But, the reality of the situation is that professionals are usually balancing a myriad of concerns and considerations using objective and subjective evaluations of what's required of us and quite often inefficiency, whether in the form of programmatic complexity or in the form of disk storage or otherwise, has a relatively low precedent compared to everything else we need to achieve if we want happy clients and a pay check.
-
Off topic but what's the point of a book that thick other than novelty? Would make much more sense to just separate into volumes
Seems like it would break quickly with use
-
I sort of have a suspicion that there is some mathematical proof that, as soon as it becomes quick and easy to import an arbitrary number of dependencies into your project along with their dependencies, the size of the average project's dependencies starts to follow an exponential growth curve increasing every year, without limit.
I notice that this stuff didn't happen with package managers + autoconf/automake. It was only once it became super-trivial to do from the programmer side, that the growth curve started. I've literally had trivial projects pull in thousands of dependencies recursively, because it's easier to do that than to take literally one hour implementing a little modified-file watcher function or something.
Its certainly more painful to collect dependencies with cmake, so its not worth doing if you can hand roll your own easily enough.
The flip side is that by using a library, it theoretically means it should be fairly battle-tested code, and should be using appropriate APIs. File watching has a bunch of different OS specific APIs that could be used, in addition to the naive "read everything periodically" approach, so while you could knock something together in an hour, the library should be the correct approach. Sadly, at least in rust land, there are a ton of badly written libraries to wade through...
-
This post did not contain any content.
And this is why tree shaking exists.
-
Which sounds like great, practical advice in a theoretical perfect world!
But, the reality of the situation is that professionals are usually balancing a myriad of concerns and considerations using objective and subjective evaluations of what's required of us and quite often inefficiency, whether in the form of programmatic complexity or in the form of disk storage or otherwise, has a relatively low precedent compared to everything else we need to achieve if we want happy clients and a pay check.
Saying "we can't in practice reduce the complexity of our dependency tree because we need happy clients and a pay check" is like saying "we can't in practice turn on the propeller because we need to get this airplane off the ground".
-
Be the change you want to see in the world, people. Don't use any Node (or Rust or Python or Java or whatever) modules that have more dependencies than they absolutely, positively, 100%, for real have to. It's really not that hard. It doesn't have to be this way.
This applies to developers, too.
External dependencies put end users at risk, so I avoid them as much as possible. If that means I have to rethink my design or write some boring modules myself, then so be it.
-
Feels like a lot of “not inventing the wheel” - which is good? There are plenty of good wheels out there.
But I don't NEED a wheel, I just need a tarp to put over this metal frame on my patio, and for some reason the tarp manufacturer attaches wheels and plane wings to it!?
-
Feels like a lot of “not inventing the wheel” - which is good? There are plenty of good wheels out there.
Until those wheels contain malware and spyware.
-
And this is why tree shaking exists.
What is that?
-
Its certainly more painful to collect dependencies with cmake, so its not worth doing if you can hand roll your own easily enough.
The flip side is that by using a library, it theoretically means it should be fairly battle-tested code, and should be using appropriate APIs. File watching has a bunch of different OS specific APIs that could be used, in addition to the naive "read everything periodically" approach, so while you could knock something together in an hour, the library should be the correct approach. Sadly, at least in rust land, there are a ton of badly written libraries to wade through...
Yeah. I have no idea what the answer is, just describing the nature of the issue. I come from the days when you would maybe import like one library to do something special like .png reading or something, and you basically did all the rest yourself. The way programming gets done today is wild to me.
-
This post did not contain any content.
I should check Go's pkg folder...
-
What is that?
If you import 1% of your module code, you only compile the actual used code. Tree shaking is removing dead code paths that aren't used.
-
If you import 1% of your module code, you only compile the actual used code. Tree shaking is removing dead code paths that aren't used.
Ah ok gotcha
-
Saying "we can't in practice reduce the complexity of our dependency tree because we need happy clients and a pay check" is like saying "we can't in practice turn on the propeller because we need to get this airplane off the ground".
wrote last edited by [email protected]Clients don't care much about the dependency graph. They do care about delivering on time and sometimes not reinventing a bunch of wheels is crucial for that.
-
This applies to developers, too.
External dependencies put end users at risk, so I avoid them as much as possible. If that means I have to rethink my design or write some boring modules myself, then so be it.
Depends on the use case, and what you mean by “external dependencies”.
Black box remote services you’re invoking over HTTP, or source files that are available for inspection and locked by their hash so their contents don’t change without explicit approval?
Cuz I’ll almost entirely agree on the former, but almost entirely disagree on the latter.
In my career:
I’ve seen multiple vulns introduced by devs hand-writing code that doesn’t follow best practices while there were packages available that did.
I have not yet seen a supply chain attack make it to prod.
The nice thing about supply chain attacks though: they get publicly disclosed. Your intern’s custom OAuth endpoint that leaks the secret? Nobody’s gonna tell you about that.
-
But I don't NEED a wheel, I just need a tarp to put over this metal frame on my patio, and for some reason the tarp manufacturer attaches wheels and plane wings to it!?
The package comes with all the bells and whistles but the final build only contains the tarp, if you import it right and tree shake it.
-
Which sounds like great, practical advice in a theoretical perfect world!
But, the reality of the situation is that professionals are usually balancing a myriad of concerns and considerations using objective and subjective evaluations of what's required of us and quite often inefficiency, whether in the form of programmatic complexity or in the form of disk storage or otherwise, has a relatively low precedent compared to everything else we need to achieve if we want happy clients and a pay check.
Lol yeah working in enterprise software for a long time, it's more like:
- Import what you think you need, let the CI do a security audit, and your senior engineers to berate you if you import a huge unnecessary library where you only need one thing
- Tree shake everything during the CI build so really the only code that gets built for production is what is being used
- Consistently audit imports for security flaws and address them immediately (again, a CI tool)
- CI
Basically just have a really good set of teams working on CI in addition to the backend/frontend/ux/security/infrastructure/ whatever else teams you have
-
This post did not contain any content.
Why write code, when someone else already wrote it?
-
Clients don't care much about the dependency graph. They do care about delivering on time and sometimes not reinventing a bunch of wheels is crucial for that.
As the guy people come to when they've spent days banging their heads against a dependency conflict problem rather than delivering value for the business, I wish the folks on my team would take the proverb "a little copying is better than a little dependency" to heart a little more.
-
Off topic but what's the point of a book that thick other than novelty? Would make much more sense to just separate into volumes
wrote last edited by [email protected]You get books like that for voluminous stuff like parliament debate transcripts for an entire parliamentary term.
They're generally one-off or only a handful printed and kept as archival records.
Almost noone would ever need the physical book, it exists as a physical tome to cite/reference.
