The handlebars-helpers-ncc package contains 130 different utility dependencies including a few actually useful things like functions to convert Markdown to HTML, but also some weirdly trivial packages like is-even.
I suppose this was a brilliant way for the authors to generate staggeringly high NPM download counts for their packages: Repackage other people’s useful code into convenience functions and then include their own trivial package dependencies several layers deep to multiply their overall downloads count.
I wonder how many jobs they’ve applied to while bragging about their millions of monthly NPM downloads.
This is a very well known trick that we don't talk about much in public, but this is how most people with hundreds of repos on NPM get to this number.
One very popular terminal progress bar spinner has over 30 dependencies. One with the list of colors, another to display colors, another to clean the line, another to check if emojis are supported, another one with a list of emojis... plus a whole lot of wheel reinvention.
It was visible that most code in the sub-packages were just functions copied almost verbatim from StackOverflow.
It was also extremely limited when I tried to use it, and had quite a few bugs (it only really worked well on Macs at the time), despite the extremely large number of dependencies. Reimplementing took about 20 lines.
This is what drives me insane about NPM. Libraries are useful, and even package splitting utils like underscore or babel make sense in some scenarios. But it only takes a few packages like these to explode the size of the dependency tree.
Wow, you just gave me a great idea for libc. Why not split it in libprintf, libscanf, libexit, libitoa, libstrbcpy etc. ? I'm sure the world will be better after this.
It's ridiculous and amusing at the same time. However, I blame the people depending on libraries such this; not the opportunists enabling them. They either don't know what they are doing (incompetence) or can't be bothered to do anything about it (indifference). The combination of can't be bothered and wouldn't know how to is what leads to people using shit like this.
In the defense of javascript, dead code elimination is kind of hard because it is such a dynamic/messy language and that kind of pushes people in the direction of ridiculously fine-grained modularization. Languages with an actual type system and compiler tend to produce artifacts that only include code that is actually needed. That requires dead code elimination that actually works. Beyond what comes with the browser, there isn't much of a standard library. That's for the same reason. You'd either end up shipping the whole thing on every website or depending on some convoluted tooling in an attempt to strip it down to what you are actually using. Minification is of course a thing but it usually boils down to more obfuscating than actually removing dead code.
My strategy is to generally avoid the whole ecosystem as much as I can. I've been using Kotlin-js lately. Great libraries, runs in a browser, reactive styled components using fritz-2, web compose, or if you really insist react. You still get exposed to some of the madness (like webpack breaking between minor releases) but mostly you are shielded from that.
Spammer is a polite definition. His background is in marketing, the business he links brandscale[.]com is broken/abandoned. How long until we see these packages used as trojan horses? Or sold to third parties?
It's very funny to me that these packages exist while one of his bigger projects (https://github.com/enquirer/enquirer) lists the following reason under "why use it":
> Lightweight - Only one dependency, the excellent ansi-colors by Brian Woodward.
> Several years ago I switched careers from sales, marketing and consulting[1]
The author's bio on his GitHub profile explains it: he's approaching development with a mindset of sales and marketing. It's also followed by his GitHub stats front and center.
> I wonder how many jobs they’ve applied to while bragging about their millions of monthly NPM downloads.
isEven claims to be a learning project. It depends on isOdd and isNumber, both of which were admitted (IIRC) to be explicit NPM download boosting projects. Such that the author of isOdd added it to major modules whenever they could
> I wonder how many jobs they’ve applied to while bragging about their millions of monthly NPM downloads.
I used to work for a company where it was ok (managers won't say anything, even if explicitly pointed at the situation) to remove company company code, create your own NPM package (on your own private NPM account) and add it as a dependency of the company codebase(s).
This and some other similar behaviours were the reason I left that company. But I'm the loser of the story here, as those guys are now working for even bigger companies with bigger salaries than me.
> But I'm the loser of the story here, as those guys are now working for even bigger companies with bigger salaries
Another way to look at this is that a lower-paid SWE is paying for their mental health and morale. In my books, that's a winner :)
With the assumption that those engineers whose high/er salary in big/ger companies is not achived through mastery (Netflix is certainly not going to hire the Jon Schlinkerts), they're likely going to work with, say, "moral peers", which is typically undesirable for mentally healthy people.
You must be kidding me. Color me old-fashioned, but software development for me is still a "serious" job - one that requires years of training, focus and patience to get through all the matter.
And you tell me these people don't give a single fuck?
The author is a staunch anti-vaxer in addition to an open source huckster which seems to line up the fallacies of his “contributing to open source” with his willingness to spread lies about COVID and the vaccine.
Patreon and Github Sponsorships are popular ones. But also being able to add to their Resumé, being popular and leveraging it for other activities like talks and interviews, etc.
I think the horseshoe is almost coming back around to the point where people criticizing NFTs are bringing them up more often and in more annoyingly-out-of-context ways than the crypto people themselves...
I mean the first guy who did it on the creativity, maybe the first 10, but nowadays that just means you can't think of anything else to boost your profile.
That's great hire them, then it will have served it's purpose. They can repackage all their trivial number related stuff up into one generally useful module, deprecate the old trivial ones and everybody can get back to work (with a smaller number of dependencies).
Ha, I remember this package. It's a dependency of a dependency of a dependency in several projects inside the company I work for. I think either React, Babel, or Webpack depended on it at some point in time.
Nobody needs to write satire about the state of Javascript package management when people write (and use!) libraries like these.
The “Usage” section in the readme doesn’t even give you any information about how it behaves on inputs that aren’t numbers. I hope the is-odd package has some way of detecting whether the input is a number or not. Maybe other packages need this too!
I wish some of these large projects would start seriously auditing their dependencies and stop pulling in dependencies that have many dependencies themselves. There is a one-two punch of a culture of "there's a package for that" and npm not requiring flat dependency trees by default. The denial in the node community that npm is uniquely bad is frustrating. I want the community to stop denying and own these issues so things can get better. It's going to take the authors of large packages to start evangelizing the use of fewer, higher quality packages, using flat dependency trees, and re-implementing trivial functions instead of adding another node to trust.
There is a bit of a culture clash inside Javascript. Even when you're a veteran contributor, sometimes maintainers resist changing packages, as simple as they are, because there is an implicit assumption that popular packages, or even packages with too many dependencies are "better" or "handled all the edge cases".
Even with careful evaluation of the options and a write-down of issues and a proper comparison, you need ten times as much energy to remove a package than it took to add it.
It's even worse is when "too many packages" is in the DNA of the package you're collaborating.
const isNumber = require('is-number');
module.exports = function isOdd(value) {
const n = Math.abs(value);
if (!isNumber(n)) {
throw new TypeError('expected a number');
}
if (!Number.isInteger(n)) {
throw new Error('expected an integer');
}
if (!Number.isSafeInteger(n)) {
throw new Error('value exceeds maximum safe integer');
}
return (n % 2) === 1;
};
2̶7̶ 2 dependencies, travis ci configured, fully tested and documented, even the readme depends on some external tool. github username is i-voted-for-trump. Looks like a joke that people actually started using.
27 dependents, i.e. things depending on it. Only one dependency: is-odd, hilariously.
I'd like to think it's a joke, but maybe not. Anyway, what's with the massive download spike, 20 million downloads between 22nd and 28th December 2020.
It would be one thing if it was _just_ a little demo utility used to showcase packaging and distribution of a trivial use case, however the creator of this has also created a number of packages which pull in these "demo" packages, like `handlebar-helpers`, which is again just these trivial function packages wrapped in handlebar decorators.
Several of these utility and helper packages are then pulled into other packages and build tools and marketed as legitimate packages, effectively hiding and masking the "just a demo" labels of the root is-even, is-odd, is-number packages. When people like myself complain about the absurdity of NPM supply chain verification, this is what we're arguing against.
Adding a package like this as a dependency is a net negative, because for the sake of trivial functionality you take on all the supply chain overhead and security risk.
The culture of relying on small dependencies needs to adapt to account for security. It's one of many aspects of open source supply chain management due for a reckoning.
But, honestly, do developers these days just not have their OWN libraries of code they bring along with them? Are they SO dependent on others they can't write trivial code?
I reckon that centralized package management actually _reduced_ the amount of people relying on their own library of snippets. Why bother saving how you solved Problem A, when there is probably a package doing it better...?
Ironic that this post makes it to front page but an admission that any npm package published before 2020 may have been hacked gets no interest! https://news.ycombinator.com/item?id=29234098
>Ironic that this post makes it to front page but an admission that any npm package published before 2020 may have been hacked gets no interest! https://news.ycombinator.com/item?id=29234098
Not ironic. That article's unfortunate and misleading title isn't nearly as eye-catching as one describing the true nature of its content; a deliberate decision.
> This is a joke. You'll only see this org if you are attempting to troll me about repositories I created when I was learning to program.
I give this troll effort a score of 9/10. Well done - love the testing, readme, docs, continuous integration, etc. Honestly, this is better than most enterprise software I see.
I might contribute for fun and lulz...
EDIT - read some of the comments and there is some anger and confusion. Folks, this is a troll. Yes, npm and the JS ecosystem have some flaws, but let's not get bent out of shape.
> From the github user's ("i-voted-for-trump") bio:
> EDIT - read some of the comments and there is some anger and confusion. Folks, this is a troll. Yes, npm and the JS ecosystem have some flaws, but let's not get bent out of shape.
It doesn't look like so. The author is definitely creating some confusion with redirects, but the readme of his professional Github's account (https://github.com/jonschlinkert) says:
> Several years ago I switched careers from sales, marketing and consulting to learn how to program, with the goal of making the world a better place through code. [...] To date, I've created more than 1,000 open source projects in an effort to reach my goal. Open source software takes a lot of time to create and maintain. You can help me to achieve my goals of changing the world through code, help me create better developer experiences, or just say thank you by sponsoring me on GitHub.
He's asking for real money; he's definitely not a troll.
Why can't NPM has something like Apache commons? There you can include all simple and fundamental functionality. Instead of having one package each like this.
Why couldn't Javascript have ever built a halfway decent standard library?
Much of the terribleness of the current programming environment could have been rectified if this fundamental failure had not been allowed to continue.
Javascript has a perfectly decent standard library for its intended use case - scripting webpages. It was never meant to be a general purpose application or systems programming language. It was never meant to be used outside of the browser, much less to replace C++ and other languages in their respective domains.
The "current programming environment" is the problem, and it doesn't exist because Javascript is superior to other languages, and should be used everywhere, but only because web developers are easier to find and cheaper to hire.
And in any case, you could ship a "standard library" for javascript that covers most common use cases in a single static file. We used to do that, it was called JQuery. Even assuming for the sake of argument that Javascript's standard library is lacking, that doesn't justify the mess that is Node's micropackages.
Readit News
722K of those downloads come from this package by the same authors: https://www.npmjs.com/package/handlebars-helpers-ncc
The handlebars-helpers-ncc package contains 130 different utility dependencies including a few actually useful things like functions to convert Markdown to HTML, but also some weirdly trivial packages like is-even.
I suppose this was a brilliant way for the authors to generate staggeringly high NPM download counts for their packages: Repackage other people’s useful code into convenience functions and then include their own trivial package dependencies several layers deep to multiply their overall downloads count.
I wonder how many jobs they’ve applied to while bragging about their millions of monthly NPM downloads.
One very popular terminal progress bar spinner has over 30 dependencies. One with the list of colors, another to display colors, another to clean the line, another to check if emojis are supported, another one with a list of emojis... plus a whole lot of wheel reinvention.
It was visible that most code in the sub-packages were just functions copied almost verbatim from StackOverflow.
It was also extremely limited when I tried to use it, and had quite a few bugs (it only really worked well on Macs at the time), despite the extremely large number of dependencies. Reimplementing took about 20 lines.
I have to actually check to make sure he doesn't have packages like regexp-left-parenthesis, regexp-dot, etc.
In the defense of javascript, dead code elimination is kind of hard because it is such a dynamic/messy language and that kind of pushes people in the direction of ridiculously fine-grained modularization. Languages with an actual type system and compiler tend to produce artifacts that only include code that is actually needed. That requires dead code elimination that actually works. Beyond what comes with the browser, there isn't much of a standard library. That's for the same reason. You'd either end up shipping the whole thing on every website or depending on some convoluted tooling in an attempt to strip it down to what you are actually using. Minification is of course a thing but it usually boils down to more obfuscating than actually removing dead code.
My strategy is to generally avoid the whole ecosystem as much as I can. I've been using Kotlin-js lately. Great libraries, runs in a browser, reactive styled components using fritz-2, web compose, or if you really insist react. You still get exposed to some of the madness (like webpack breaking between minor releases) but mostly you are shielded from that.
Is there a site or code snippet where I can see which of the popular dependants was fooled into using this crap and is driving most of the downloads?
> Lightweight - Only one dependency, the excellent ansi-colors by Brian Woodward.
Deleted Comment
The author's bio on his GitHub profile explains it: he's approaching development with a mindset of sales and marketing. It's also followed by his GitHub stats front and center.
[1] https://github.com/jonschlinkert
s/projects/functions
Deleted Comment
isEven claims to be a learning project. It depends on isOdd and isNumber, both of which were admitted (IIRC) to be explicit NPM download boosting projects. Such that the author of isOdd added it to major modules whenever they could
e.g: [1, "one", true, false, 0, "zero", null, undefined]
edit: also ["1", "0", etc]
edit 2: also [NaN]
I used to work for a company where it was ok (managers won't say anything, even if explicitly pointed at the situation) to remove company company code, create your own NPM package (on your own private NPM account) and add it as a dependency of the company codebase(s).
This and some other similar behaviours were the reason I left that company. But I'm the loser of the story here, as those guys are now working for even bigger companies with bigger salaries than me.
Another way to look at this is that a lower-paid SWE is paying for their mental health and morale. In my books, that's a winner :)
With the assumption that those engineers whose high/er salary in big/ger companies is not achived through mastery (Netflix is certainly not going to hire the Jon Schlinkerts), they're likely going to work with, say, "moral peers", which is typically undesirable for mentally healthy people.
And you tell me these people don't give a single fuck?
Do people really do this? Does this explain the dumpster fire ecosystem of NPM?
...but interviewers often assume that they are all useful packages and that the numbers are not inflated.
Look at the guys Twitter: https://mobile.twitter.com/jonschlinkert
Deleted Comment
The sad thing about this is that people will buy it too
And stretching the idea, people who download is-even for serious purposes are probably amongst the hopeless naive/inexperienced ones
You mean how broken it is, and how to take advantage of it? Depending on your business they could fit in really well.
Nobody needs to write satire about the state of Javascript package management when people write (and use!) libraries like these.
https://github.com/i-voted-for-trump/is-even/blob/master/pac...
Deleted Comment
There is a bit of a culture clash inside Javascript. Even when you're a veteran contributor, sometimes maintainers resist changing packages, as simple as they are, because there is an implicit assumption that popular packages, or even packages with too many dependencies are "better" or "handled all the edge cases".
Even with careful evaluation of the options and a write-down of issues and a proper comparison, you need ten times as much energy to remove a package than it took to add it.
It's even worse is when "too many packages" is in the DNA of the package you're collaborating.
https://www.npmjs.com/package/is-even-cyclic has a cyclic dependency with https://www.npmjs.com/package/is-odd-cyclic.
edit: Confused dependents with dependencies
> This is a joke. You'll only see this org if you are attempting to troll me about repositories I created when I was learning to program
I'd like to think it's a joke, but maybe not. Anyway, what's with the massive download spike, 20 million downloads between 22nd and 28th December 2020.
> I created this in 2014, when I was learning how to program.
Several of these utility and helper packages are then pulled into other packages and build tools and marketed as legitimate packages, effectively hiding and masking the "just a demo" labels of the root is-even, is-odd, is-number packages. When people like myself complain about the absurdity of NPM supply chain verification, this is what we're arguing against.
redirects to
https://github.com/i-voted-for-trump/is-even
The culture of relying on small dependencies needs to adapt to account for security. It's one of many aspects of open source supply chain management due for a reckoning.
But, honestly, do developers these days just not have their OWN libraries of code they bring along with them? Are they SO dependent on others they can't write trivial code?
Not ironic. That article's unfortunate and misleading title isn't nearly as eye-catching as one describing the true nature of its content; a deliberate decision.
Does saying dang 3 times work?
From the github user's ("i-voted-for-trump") bio:
> This is a joke. You'll only see this org if you are attempting to troll me about repositories I created when I was learning to program.
I give this troll effort a score of 9/10. Well done - love the testing, readme, docs, continuous integration, etc. Honestly, this is better than most enterprise software I see.
I might contribute for fun and lulz...
EDIT - read some of the comments and there is some anger and confusion. Folks, this is a troll. Yes, npm and the JS ecosystem have some flaws, but let's not get bent out of shape.
> EDIT - read some of the comments and there is some anger and confusion. Folks, this is a troll. Yes, npm and the JS ecosystem have some flaws, but let's not get bent out of shape.
It doesn't look like so. The author is definitely creating some confusion with redirects, but the readme of his professional Github's account (https://github.com/jonschlinkert) says:
> Several years ago I switched careers from sales, marketing and consulting to learn how to program, with the goal of making the world a better place through code. [...] To date, I've created more than 1,000 open source projects in an effort to reach my goal. Open source software takes a lot of time to create and maintain. You can help me to achieve my goals of changing the world through code, help me create better developer experiences, or just say thank you by sponsoring me on GitHub.
He's asking for real money; he's definitely not a troll.
Well, his Twitter is on point.
Anyway, I'm pretty sure it wasn't a joke originally. I recall him heavily defending it even after people trolled him for creating such a package.
Much of the terribleness of the current programming environment could have been rectified if this fundamental failure had not been allowed to continue.
https://www.davidhaney.io/npm-left-pad-have-we-forgotten-how...
Stupid debates over a formatting tool - or in this case, a simple conditional - should tell you that something is seriously FUBAR in Javascriptland.
The "current programming environment" is the problem, and it doesn't exist because Javascript is superior to other languages, and should be used everywhere, but only because web developers are easier to find and cheaper to hire.
And in any case, you could ship a "standard library" for javascript that covers most common use cases in a single static file. We used to do that, it was called JQuery. Even assuming for the sake of argument that Javascript's standard library is lacking, that doesn't justify the mess that is Node's micropackages.
Because it's consensus-driven, and that consensus is achieved on meetings organized every ~3 months.
And because of strict backwards compatibility rule, everyone is extremely cautious.
I tried to add new methods to Set, but proposal is basically being held hostage by subclassing proposal. https://github.com/tc39/proposal-set-methods