loading...
The Coffee Coders

Any thoughts on create-react-app breaking due to one line npm package

rehmatfalcon profile image Kushal Niroula 惻1 min read

It seems like create-react-app broke because of an error in one of its npm dependency. The dependency itself is just one line of code, more specifically it checks to see whether a certain object is like a promise or not (is an object with then method).

https://github.com/then/is-promise/issues/13#issuecomment-619402307

The issue seems to have been resolved, as I can create a new react app using create-react-app

This situation reminds me, and apparently many others, of the time when one package was unpublished from npm and caused many projects to fail.

https://arstechnica.com/information-technology/2016/03/rage-quit-coder-unpublished-17-lines-of-javascript-and-broke-the-internet/

The package under question here is is-promise and has this code

function isPromise(obj) {
  return !!obj && (typeof obj === 'object' || typeof obj === 'function') && typeof obj.then === 'function';
}

So what are your thoughts on it? Should such trivial functions be inlined? Or are there better alternatives?

The Coffee Coders

We are software company based in Birtamode, Nepal.

Discussion

markdown guide
 

I'll admit I don't know that much about npm and dependency management (so take what I say with a grain of salt), but should packages like create-react-app be more wary of accepting minor version bumps of dependencies? In this case is-promise went from v2.1 to 2.2 and then caused this issue, should create-react-app (or whatever dependency it relied on that in turn relied on is-promise) have not automatically accepted this version bump?

I know it's not directly create-react-app's fault, but I wonder what we can do about it from the perspective of the packages that use these dependencies. What's stopping someone from putting dodgy code in their widely-used package and doing a minor version bump?

 

I think we should be explicit about the version that we depend upon and change the dependency version only when we are sure that we want to upgrade and that our code does not break. I know this means more work to do and keep track of, but maybe it is the price we have to pay for stability, and especially in case of popular packages like create-react-app.

 

My thoughts is that it just shows that the whole JS framework bandwagon is a prime example of horrible decisions escalating in the wrong direction. Simple. It is also an example of what will KEEP happening, until better engineering decisions start to be made and people start owning their choices and code responsibly. It is pure garbage and negligence.
It's the typical example: if a doctor would try to treat you without any safety measures, if you noticed he was nervous, sloppy, if his office was full of garbage, probably you'll walk way.... In Computer science we do the opposite.

 

In Computer science we do the opposite

Not sure if that is true. That is why we have typescript šŸ˜„

 

I just randomly opened this DEV article on React. And saw my fellow countrymen from Biratamode. Just wanna wish Good Luck with your company at Birtamode. :)

 

Thanks, man. It's always nice to hear from someone from my own country. That is why I have been recommending dev.to to all of my colleagues; being a part of a community like this is very rewarding.

Wish you good luck with your endeavors too.