I used Gemini to compare the minimized output of the Rollup vs Rolldown JavaScript bundlers to find locations where the latter was not yet at the same degree of optimization. It was astoundingly good and I'm not sure how I would have been able to accomplish the task without an LLM as an available tool.
Readit Newsbenmccann commented on The unexpected effectiveness of one-shot decompilation with Claude blog.chrislewis.au/the-un... · Posted by u/knackers
benmccann commented on Shai-Hulud Returns: Over 300 NPM Packages Infected helixguard.ai/blog/malici... · Posted by u/mrdosija
FYI your first link is the same as your third link. It's correct as the third link, so the Zapier one is missing.
fixed!
benmccann commented on Shai-Hulud Returns: Over 300 NPM Packages Infected helixguard.ai/blog/malici... · Posted by u/mrdosija
Hundreds of people had access to publish the Zapier SDK, so it's little surprise they were eventually compromised! (https://bsky.app/profile/benmccann.com/post/3m6fdecsbdk2u)
The e18e community are reducing dependencies in popular libraries and building tools to prevent and reduce the impact of such attacks. Join if you want to help out! https://e18e.dev/
Just this morning, after trying to make the case over the past year, we had a change landed to remove more than a dozen dependencies from typescript-eslint! https://bsky.app/profile/benmccann.com/post/3m6fcjax7ec2h
When the left-pad debacle happened, one commenter here said of a well known npm maintainer something to the effect of that he's an "author of 600 npm packages, and 1200 lines of JavaScript".
Not much has changed since then. The best counter-example I know is esbuild, which is a fully featured bundler/minifier/etc that has zero external dependencies except for the Go stdlib + one package maintained by the Go project itself:
https://www.npmjs.com/package/esbuild?activeTab=dependencies
https://github.com/evanw/esbuild/blob/755da31752d759f1ea70b8...
Other "next generation" projects are trading one problematic ecosystem for another. When you study dependency chains of e.g. biomejs and swc, it looks pretty good:
https://www.npmjs.com/package/@biomejs/biome/v/latest?active...
https://www.npmjs.com/package/@swc/types?activeTab=dependenc...
Replacing the tire fire of eslint (and its hundreds to low thousands of dependencies) with zero of them! Very encouraging, until you find the Rust source:
https://github.com/biomejs/biome/blob/a0039fd5457d0df18242fe...
https://github.com/swc-project/swc/blob/6c54969d69551f516032...
I think as these projects gain more momentum, we will see similar things cropping up in the cargo ecosystem.
Does anyone know of other major projects written in as strict a style as esbuild?
Yes, eslint is particularly frustrating: https://npmgraph.js.org/?q=eslint
There are plenty of people in the community who would help reduce the number of dependencies, but it really requires the maintainers to make it a priority. Otherwise the only way to address it is to switch to another solution like oxlint.
A little disingenuous to say “only 3/40” maintainers. Which 3? And how percentage of the total work hours invested per month do those 3 represent?
The number 3, 4, and 5 contributors to SvelteKit in the past year work at Vercel:
https://github.com/sveltejs/kit/graphs/contributors?from=8%2...
Rich and Simon are incredibly important, but they're in it for Svelte and the community more so than a paycheck from Vercel. Tee has been doing most of the maintenance on SvelteKit currently funded by community donations. And this isn't counting other infrastructure like vite-plugin-svelte or the Svelte CLI which are entirely maintained by volunteers. I don't think Vercel funds a majority of the work on Svelte even if it might be close to it.
benmccann commented on Vendors that treat single sign-on as a luxury feature sso.tax/... · Posted by u/vinnyglennon
This is how I've come to accept it too
And honestly when I really really want SSO anyways, I can bolt on vouch proxy for free
Wouldn't vouch proxy only work with self hosted apps? How would you use it with a SaaS app?
benmccann commented on PlasticList – Plastic Levels in Foods plasticlist.org/... · Posted by u/homebrewer
Are you associated with plastic.love? If so you should be explicit about it.
Also, if it's crowdfunded, why am I unable to see any finished results without giving you my email?
What is the plastic.love you're referring to? That domain doesn't resolve for me. Do you mean PlasticList?
benmccann commented on I like Svelte more than React (it's store management) river.berlin/blog/why-i-l... · Posted by u/adityashankar
According to a resonating reddit comment, Svelte isn't more popular because it's simply too late; React and Vue got there early and got good enough, so Svelte can't really get as big as them.
I think this might be true short term, but long term it means Svelte has more room to evolve with the web and with JavaScript itself, since fewer users means more room to move fast and break things, like Zig can and does. And Zig isn't dead.
This gives me a little encouragement for my personal web reactivity project. I'm confident I came up with a reactivity model that's technically innovative, which does and is what I always wanted React to do and be. But being so late to the game, my hypothetical framework has no chance to gain traction. I say hypothetical because I haven't even started making it yet. It would be built on the Ref class[1] that came out of my experimental work on os.90s.dev, but only last night did I finally get around to experimenting with using it with HTML[2].
The concept is to have JSX transform to allowing attributes to be given MaybeRefs and if its a ref then watch it and set the attr to the value, and just return the HTMLElement itself. This should be a good enough foundation to build an entire reactive framework around.
Having almost no users is a blessing, because it gives me the complete freedom to experiment with this relatively slowly. The time between creating refs and stabilizing them was a few months. The time between stabilizing them and using them in that experiment was another month. It'll probably be another month before I get a functioning non-trivial app working with it. And another few months before it's cleaned up enough to be both generic and convenient.
Maybe this should have been a blog post. I never know.
[1]: https://90s.dev/guides/refs.html
[2]: https://github.com/sdegutis/bubbles/commit/cde2bea973b22538f...
It's neither true that Svelte has few users or that we can easily break things. Tons of sites are built with Svelte like Yahoo Finance and Apple Music. Svelte 5 was the only big change in syntax in the past five years and we made sure that there's a good migration tool, etc. to minimize the amount of hardship and upgrade might cause. As a result the majority of users have already upgraded to Svelte 5.
That being said, Svelte absolutely does continue to innovate. We'll be introducing a new async primitive, RPC mechanism, etc. in the near future: https://m.youtube.com/watch?v=1dATE70wlHc
The updated knowledge cutoff is helping with new technologies such as Svelte 5.