Eh, I’d say any language that offers a package repository is just as susceptible. I’m neither pro- nor anti- dependency, but I do always try to keep them to an absolute minimum regardless of what environment I’m working in. Sometimes it makes sense to not reinvent the wheel.
Yes, but other languages have exponentially fewer packages that install when you add something, making the attack vector smaller and easier to monitor.
The best way to fix this is for library authors to avoid installing as many sub-dependencies as possible (is-odd, being an obvious example). But that’s a fundamental culture problem.
I always reel in horror when projects have tiny, ‘negligible to implement yourself’ functions like these as dependencies. See also: is-even 🙄
Edit:
is-even
has a dependency onis-odd
which has a dependency onis-number
. 🤦♂️And the whole implementation of is-number which is at version 7.0.0:
module.exports = function(num) { if (typeof num === 'number') { return num - num === 0; } if (typeof num === 'string' && num.trim() !== '') { return Number.isFinite ? Number.isFinite(+num) : isFinite(+num); } return false; };
The node.js ecosystem has always been madness.
I think
is-odd
is intentionally a reference to / satire ofleftpad
It was created in 2014, 2 years before the leftpad incident, when a user was learning JavaScript. They now have over 350k downloads per week.
However, https://github.com/slmjkdbtl/is-is-odd/issues/4 is a wonderful work of satire.
Used in
is-ten
. GeniusAt this point it’s just a joke. Is there a npm for console log? I’ll have to check.
There’s an npm for everything.
JavaScript is a dangerous shitshow for this exact reason. Dependencies are a security and stability nightmare.
Eh, I’d say any language that offers a package repository is just as susceptible. I’m neither pro- nor anti- dependency, but I do always try to keep them to an absolute minimum regardless of what environment I’m working in. Sometimes it makes sense to not reinvent the wheel.
Yes, but other languages have exponentially fewer packages that install when you add something, making the attack vector smaller and easier to monitor.
The best way to fix this is for library authors to avoid installing as many sub-dependencies as possible (is-odd, being an obvious example). But that’s a fundamental culture problem.
This is why I only code in Assembly. /jk
I can’t even…
Yes you can, just don’t odd
Created by the organization “i-voted-for-trump”
Lol, I saw that. If you go to their main page, it’s explained that it’s a joke.
Yeah, Trump didn’t even exist in 2014!
/s
he never did
Hah, even!