Recently, I was browsing through NPM (what?) when I came across some really interesting and fascinating packages. Of course, I left the most intere...
For further actions, you may consider blocking this person and/or reporting abuse
node_modules frightens me.
A simple npm/yarn install can yield thousands of depdencies... any one of which could cause the whole app to fail. It's a wonder anything works at all, really.
You won't believe how many datetimepicker packages that barely even work are out there. It's easier to implement your own than going through all of them datetimepickers.
Once You've written it, be sure to publish it to NPM!
NPM and GitHub are full of junk. Not just abandoned, pointless or broken packages, but silly/joke packages as well.
This may be fun at first, until you read this:
hackernoon.com/im-harvesting-credi...
It actually happened:
I don't know what to say. #116
@dominictarr Why was @right9ctrl given access to this repo? He added flatmap-stream which is entirely (1 commit to the repo but has 3 versions, the latest one removes the injection, unmaintained, created 3 months ago) an injection targeting ps-tree. After he adds it at almost the exact same time the injection is added to
flatmap-stream
, he bumps the version and publishes. Literally the second commit (3 days later) after that he removes the injection and bumps a major version so he can clear the repo of havingflatmap-stream
but still have everyone (millions of weekly installs) using 3.x affected.@right9ctrl If you removed flatmap-stream because your realized it was an injection attack why didn't you yank
event-stream@3.3.6
from npm and put a PSA? If you didn't know, why did you choose to use a completely unused/unknown library (0 downloads on npm until you use it)? If I had the exact date from npm in whichflatmap-stream@0.1.1
was published I wouldn't be asking you questions.I've included a break down of what I have so far on
flatmap-stream
below. It includes the portion of code not found in the unminified source offlatmap-stream@0.1.1
but found in the minified source. The code has been cleaned up a little to get a better understanding.The worst part is I still don't even know what this does... The decrypted data n[0] is byte code or something, not regular javascript, or maybe I'm just not handling it correctly.
For me the only one is left-pad who broke the internet in 2016, and I heard is was not even good code :)).
Now is even worse because the front end devs, for webpack and other utilities are using and writing more useless packages.
Now I feel the need to defend my solution of adding runtime code to ensure that a critical npm package is working as expected. I'm sure there are lots of developers out there that think that this kind of check is not needed, but what I like to remind people is that a system can fail for any number of reasons (CPUs can make mistakes or a bit can be flipped in memory due to an electrical surge). I usually don't work on software where people's lives depends on it, but I like to code as though I do. And for that, defensive programming is key. Not only do I add runtime checks in all of my functions to detect runtime bugs, I also like to add code that will look back at the call trace and fix the problematic code by patching code using heuristics and sophisticated algorithms to prevent problems from spreading to other parts of the system. I've been coding for years and this strategy has served me well.
Ah I see. Defensive programming is indeed the future.
Very Interesting, I will tried
This has to be a joke?
Yes, it is ๐
Phew, I admit, I had my logical brain on, the one with no sense of humour. Safe to say I had a weekend and feeling better ๐ค
Glad that you are feeling better :)
All these packages are meant to be used in composition when doing functional programming.
Ahhh... that makes a lot more sense!
You made my day man, thank you
Hilarious! Thanks for sharing.