Hacker News new | past | comments | ask | show | jobs | submit
rtpg | on: The three pillars of JavaScript bloat
I think on the first point, we have to start calling out authors of packages which (IMO) have built out these deptrees to their own subpackages basically entirely for the purpose of getting high download counts on their github account

Like seriously... at 50 million downloads maybe you should vendor some shit in.

Packages like this which have _7 lines of code_ should not exist! The metadata of the lockfile is bigger than the minified version of this code!

At one point in the past like 5% of create-react-app's dep list was all from one author who had built out their own little depgraph in a library they controlled. That person also included download counts on their Github page. They have since "fixed" the main entrypoint to the rats nest though, thankfully.

https://www.npmjs.com/package/has-symbols

https://www.npmjs.com/package/is-string

https://github.com/ljharb

matheusmoreira | parent | next
> entirely for the purpose of getting high download counts on their github account

Is this an ego thing or are people actually reaping benefits from this?

Anthropic recently offered free Claude to open source maintainers of repositories with over X stars or over Y downloads on npm. I suppose it is entirely possible that these download statistics translate into financial gain...

domenicd | root | parent | next
Yes, there's definitely a financial gain aspect here. Tidelift provides $50/month for each of these packages. https://tidelift.com/lifter/search/npm/has-symbols

The incentives are pretty clear: more packages, more money.

loading story #47476858
loading story #47474698
loading story #47475037
g947o | parent | next
https://immich.app/cursed-knowledge

> There is a user in the JavaScript community who goes around adding "backwards compatibility" to projects. They do this by adding 50 extra package dependencies to your project, which are maintained by them.

> 6/28/2024

CoderLuii | parent | next
from a security perspective this is even worse than it looks. every one of those micro packages is an attack surface. we just saw the trivy supply chain get compromised today and thats a security tool. now imagine how easy it is to slip something into a 7 line package that nobody audits because "its just a utility." the download count incentive makes it actively dangerous because it encourages more packages not fewer.
h4ch1 | parent | next
I remember seeing this one guy who infiltrated some gh org, and then started adding his own packages to their dependencies or something to pad up his resume/star count.

Really escapes me who it was.

loading story #47476860
technion | parent | next
As usual, there's a cultural issue here. I know it's entirely possible to paste those seven lines of code into your app. And in many development cultures this will be considered a good thing.

If you're working with Javascript people, this is referred to as "reinventing the wheel" or "rolling your own", or any variation of "this is against best practice".

loading story #47475028
loading story #47475139
loading story #47475046
robpalmer | parent | next
The article and (overall) this comments section has thankfully focused on the problem domain, rather than individuals.

As the article points out, there are competing philosophies. James does a great job of outlining his vision.

Education on this domain is positive. Encouraging naming of dissenters, or assigning intent, is not. Folks in e18e who want to advance a particular set of goals are already acting constructively to progress towards those goals.

loading story #47476997
hinkley | parent | next
Hat tip to Sindre who has fifty bagillion packages but few of them depend on more than one of his other packages.
loading story #47477212
stephenr | parent
As usual, he's copying someone else who's been doing this for years:

https://www.npmjs.com/package/is-number - and then look and see shit like is odd, is even (yes two separate packages because who can possibly remember how to get/compare the negated value of a boolean??)

Honestly for how much attention JavaScript has gotten in the last 15 years it's ridiculous how shit it's type system really is.

The only type related "improvement" was adding the class keyword because apparently the same people who don't understand "% 2" also don't understand prototypal inheritance.

loading story #47474866