This week I learned a ton about npm dependency management, mongodb, heroku, React and keystone.js.

The biggest thing I learned: you people are crazy and I don't want to ever touch any of those things ever again.

· Mastodon Twitter Crossposter · 3 · 5 · 10

The 15 packages listed in package.json installed 1800+ dependencies. The versions in the package lock file included the infamous event-stream w/ Bitcoin miner, a ton of packages that no longer exist, about 100 "stop using this, it's deprecated" and 323 other vulnerabilities.

npm tells me they're vulnerable, and that it can try to fix them, but it tried and failed. What are these 323 things? And did the previous maintainer know any more about what they are than I do?

Additionally, the whole thing only runs on node v6.xx. It doesn't crash or print any warnings on other versions, mind you. It just doesn't do any of the things it claims it's doing. Chiefly, binding to port 3000 on localhost.

The mongo database dump I have was from a version of mongo before they changed how indexes work. The version I have knows the indexes are the wrong format, but I had to Google for a command line flag to force it to use the old index format.

The only reason I discovered the indexes thing was that some of the collections that should have been in mongo weren't after importing the dump.

I spent about 10 minutes trying to figure out how this project was configured with mongodb credentials so I could change it.

Turns out I didn't need to bother because mongo doesn't even have a configured user, let alone a password unless you do something crazy like tell it to do so.

Oh, my only real heroku complaint is that they apparently charge $18 a month to send post-deploy webhooks.

@nyquildotorg Don’t know about the rest but npm itself is heaven-sent when used with packages by the “small tech” side of the JS community like the DAT Project folks and that greater community.

@aral @nyquildotorg I imagine there are curated lists of high-quality npm packages which only depend on other high-quality packages. Because that's really all it needs.

@freakazoid @aral that may be true, but none of the projects I've had the misfortune of having to touch do anything like that. if it's not npm's default behavior, it's an nom problem.

it's great that people have come up with ways to make it less stupid and dangerous, but the fact that they have to know they need to do that sucks.

@freakazoid @nyquildotorg @aral

If only! I’m not sure how well the community would take to that sort of gatekeeping though, despite it potentially being a large force for good.

@nyquildotorg it’s a tricky balance because on one hand the Unix philosophy (proven time and again to be a robust set of principles) is to build lots of small, specialised programs that communicate well. The Node ecosystem is pretty much that, but is often accused of being too much. But it’s rare for anyone to need to reinvent things, which is neat!

The toolchain can be *utter garbage* though - Gary Bernhardt on birdsite is a really good source of commentary on how broken it can all get.

Sign in to participate in the conversation

Server run by the main developers of the project 🐘 It is not focused on any particular niche interest - everyone is welcome as long as you follow our code of conduct!