I understand making a point, but this just seems destructive. Just cache your node modules; it's not that big of a deal. The author, Drew DeVault, also runs a public git hosting service. If...
I understand making a point, but this just seems destructive. Just cache your node modules; it's not that big of a deal.
The author, Drew DeVault, also runs a public git hosting service. If someone expresses the goal of "causing chaos", it would sure give me pause before trusting them with my code. What if tomorrow he decides git is an antipattern and burns that down instead?
I had a Mastodon account on his server, after he offered it on Hacker News. I didn't use it much, but one day I went back and the server had disappeared, without notice. I doubt that would happen...
I had a Mastodon account on his server, after he offered it on Hacker News. I didn't use it much, but one day I went back and the server had disappeared, without notice.
I doubt that would happen for the git hosting service since more people are using it, but it would make me a bit hesitant.
He did give notice though.... ... on his personal Mastodon account. If you didn't check that, and from the comment it doesn't seem like you did, I totally expect it would feel "unprompted"....
I went back and the server had disappeared, without notice.
He did give notice though....
... on his personal Mastodon account.
If you didn't check that, and from the comment it doesn't seem like you did, I totally expect it would feel "unprompted".
Personally, I might've sent an email or something to all registered people, but I don't have any "big" hosted thing, so I don't know if there would be any better ways to do so.
the example module he quotes is kind of funny: var toString = {}.toString; module.exports = Array.isArray || function (arr) { return toString.call(arr) === '[object Array]'; }; so by default it...
the example module he quotes is kind of funny:
var toString = {}.toString;
module.exports = Array.isArray || function (arr) {
return toString.call(arr) === '[object Array]';
};
so by default it simply uses the built-in Array.isArray method.
if that's not defined, it has a fallback, which is...checking if its stringified representation is [object Array]. oof. it works, I guess.
but that native isArray method has been around since Chrome version 5, Firefox version 4, and IE 9. which seems to have been 2010 or 2011 based on this and this.
how many of the people using that module realize there's a built-in they can use instead, that'll work perfectly on any browser that's not 10 years old?
Go's module proxy would prevent this. You effectively don't get to delete a module yourself once it's published. (Though they might make exceptions on a case-by-case basis when contacted about a...
Go's module proxy would prevent this. You effectively don't get to delete a module yourself once it's published. (Though they might make exceptions on a case-by-case basis when contacted about a malicious module.)
I wonder if this is going to cause any more outages..... Do you think ~$1K USD is enough motivation for someone to pull their package from NPM? Will this cause "a great flattening" of NPM...
I wonder if this is going to cause any more outages..... Do you think ~$1K USD is enough motivation for someone to pull their package from NPM? Will this cause "a great flattening" of NPM dependencies or simply make people laugh and move on through their day? Will NPM change? Find out next week!
This ends up punishing the wrong people. I try to make sane decisions about what to turn to NPM for and what to write myself. But somewhere down the dependency tree an idiot developer couldn't...
This ends up punishing the wrong people. I try to make sane decisions about what to turn to NPM for and what to write myself. But somewhere down the dependency tree an idiot developer couldn't figure out if a value is an array or not on their own and now I need to pay for that?
This is amusing, and clearly inspired by an article the Onion publishes every time there is a mass shooting.
I understand making a point, but this just seems destructive. Just cache your node modules; it's not that big of a deal.
The author, Drew DeVault, also runs a public git hosting service. If someone expresses the goal of "causing chaos", it would sure give me pause before trusting them with my code. What if tomorrow he decides git is an antipattern and burns that down instead?
I had a Mastodon account on his server, after he offered it on Hacker News. I didn't use it much, but one day I went back and the server had disappeared, without notice.
I doubt that would happen for the git hosting service since more people are using it, but it would make me a bit hesitant.
He did give notice though....
... on his personal Mastodon account.
If you didn't check that, and from the comment it doesn't seem like you did, I totally expect it would feel "unprompted".
Personally, I might've sent an email or something to all registered people, but I don't have any "big" hosted thing, so I don't know if there would be any better ways to do so.
the example module he quotes is kind of funny:
so by default it simply uses the built-in Array.isArray method.
if that's not defined, it has a fallback, which is...checking if its stringified representation is
[object Array]. oof. it works, I guess.but that native isArray method has been around since Chrome version 5, Firefox version 4, and IE 9. which seems to have been 2010 or 2011 based on this and this.
how many of the people using that module realize there's a built-in they can use instead, that'll work perfectly on any browser that's not 10 years old?
Go's module proxy would prevent this. You effectively don't get to delete a module yourself once it's published. (Though they might make exceptions on a case-by-case basis when contacted about a malicious module.)
I wonder if this is going to cause any more outages..... Do you think ~$1K USD is enough motivation for someone to pull their package from NPM? Will this cause "a great flattening" of NPM dependencies or simply make people laugh and move on through their day? Will NPM change? Find out next week!
This ends up punishing the wrong people. I try to make sane decisions about what to turn to NPM for and what to write myself. But somewhere down the dependency tree an idiot developer couldn't figure out if a value is an array or not on their own and now I need to pay for that?
This wouldn't actually work for any significant npm module. npm somewhat learned their lesson after left-pad.
Quick plug: https://github.com/adityasaky/availability-woes/blob/main/repository-policies/npm.md