Skip to content

Instantly share code, notes, and snippets.

@ShannonPaige

ShannonPaige/package-management.markdown

Forked from rrgayhart/package-management.markdown
Last active March 24, 2016 17:49
Show Gist options
  • Save ShannonPaige/e85752507cf2e732a486 to your computer and use it in GitHub Desktop.
Save ShannonPaige/e85752507cf2e732a486 to your computer and use it in GitHub Desktop.
Download ZIP
The Dangers of Using Code You Don't Control
Raw
package-management.markdown

The Dangers of Using Code You Don't Control

The Events

What happened

The Drama

The Developer's Take

Kik's Side of Things

NPM's Take

The Reaction Blog Post With Some Good Points And An Aggressive Title Published After Any Major Tech Event

What Are We Even Talking About

What is NPM

A Tutorial on Using NPM

Checks for Understanding

Fork this Gist and Respond to the Following Questions

  • In broad strokes, summarize the event:

The messenger app Kik found a js package called kik written by Azer Koçulu. They asked him to change the name, and when he refused they went to NPM and asked them to step in and change the name. NPM agreed, which furiated Azer enough that he deleted all of his packages. One of these was left-pad, an 11 line piece of js that added padding to the left side of strings. Thousands of other projects were dependant on left-pad, and when it was removed, they all began to fail as well. NPM had to step in and "un-remove" it because so many projects broke.

  • How do NPM and RubyGems relate?

I've always thought of them as completely equivolent. In fact it was by relating NPM to RubyGems that I was even able to have a sense of understanding about what NPM was. I guess the biggest difference is that RubyGems just acts as directory of gems, pointing users to the owner's repos, whereas NPM actually controls the distribution of the packages through a command line install interface (does RubyGems do that?)

  • What is left-pad and why is it used?

It adds leading zeros to strings and numbers. For example, leftpad('foo', 5) = " foo". I can see this being useful for SKUs, barcodes, and other situations where all your data needs to be the same length, but int would remove leading zeros?

Observing

  • Go through some past projects you've worked on and look through the gemfiles.

  • Pick three gems - try to pick a combination of obscure gems and ones you use on every project

  • List them with links to their Github repos here:

    • Figaro
      • What does this Gem generally do? Sets up a convention to hide configuration values from git
      • When is the date of the last commit?: Jul 15, 2015
      • How many open issues does it have?: 35
      • Link to one piece of code or a file you understand
        • What does this code do?: Hey look! Initialize. I know what that does.
      • Link to one piece of code or a file you don't understand at all?
        • What do you think this code might do? Since it's in the env file and it's trying to get a key of somesort...I'm guessing this is how it manages to tell which enviornment is being used. Hoenstly, I could link to the whole project, its so far over my head.
      • Does it seem reasonable to add this dependency into your code?: Since the author's name sounds like LuluLemon, it must be safe, right? Honestly, when looking at gems I look more at how many downloads it has and how often it's maintained. Eight months is a little long in my book, but with over 1.5 million downloads, it seems like a safe bet, and since I can't write any of this code myself I have no choice.
    • Faker
      • What does this Gem generally do? Generates fake data for seeding
      • When is the date of the last commit?: Feb 23, 2016
      • How many open issues does it have?: 51
      • Link to one piece of code or a file you understand
        • They are just 'sample'-ing random star wars attributes from arrays of attributes.
      • Link to one piece of code or a file you don't understand at all?
        • What do you think this code might do? I know it parses the data they get back from activeRecord, I just don't get exactly how. But I like that they put in comments, I think that's a nice thing to do when building a gem, because it walks me through what the code is doing even if I don't understand it.
      • Does it seem reasonable to add this dependency into your code?: Yeah, it's maintained and documented well, has over 8 million downloads and cointains a huge library of data that I would never build myself.
    • LoDash Rails
      • What does this Gem generally do? Allows for using lodash in the rails asset pipeline
      • When is the date of the last commit?: Mar 15, 2016
      • How many open issues does it have?: 48
      • Link to one piece of code or a file you understand
        • See link
      • Link to one piece of code or a file you don't understand at all?
        • No idea, it's detecting stuff... but there are comments, so that's nice, it tells me what it's detecting .
      • Does it seem reasonable to add this dependency into your code?: It's maintained well and definitely does something I couldn't do myself. It doesn't have a ton of downloads, but that could be because it's so specialized. Since Tess suggested it to me, I'm gonna say yes to this one too.

  • What are some factors you consider when adding dependencies to your projects?

How recently it's been maintained, how many others use it, who recommended it to me.

Challenge Level Understanding (OPTIONAL but cool)

Building

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment