Skip to content

Instantly share code, notes, and snippets.

@ToniRib

ToniRib/package-management.markdown

Forked from rrgayhart/package-management.markdown
Last active March 24, 2016 15:07
Show Gist options
  • Save ToniRib/da1ed13f54afc921721c to your computer and use it in GitHub Desktop.
Save ToniRib/da1ed13f54afc921721c to your computer and use it in GitHub Desktop.
Download ZIP
The Dangers of Using Code You Don't Control
Raw
package-management.markdown

The Dangers of Using Code You Don't Control

The Events

What happened

The Drama

The Developer's Take

Kik's Side of Things

NPM's Take

The Reactionary Blog Post With Some Good Points And An Aggressive Title Published After Any Major Tech Event

What Are We Even Talking About

What is NPM

A Tutorial on Using NPM

Checks for Understanding

Fork this Gist and Respond to the Following Questions

  • In broad strokes, summarize the event
    • A developer, Azer, wrote a JS package called kik that was published on npm a while ago. Separately, a company that is trademarked in many countries around the world with a ton of users, also called Kik, wanted to release their own kik package on npm which is forbidden because npm only allows one package to hold that name. Kik contacted Azer to try to work it out (aka to get him to change his package's name) and when he wouldn't, they went straight to npm to try to get it resolved. NPM followed their documented protocol and determined that in order to not confuse users, the kik name should go to the Kik company. This pissed of Azer who doesn't like big corporations, so instead of renaming his package he had npm remove that package and abou 272 others all at the same time, one of which was left-pad. Apparently a ton of stuff like React and Babel rely on left-pad through some dependencies and thus thousands of builds started failing on Tuesday. NPM eventually ressurected the same version of the package (a few hours later) to fix everyone's code.
  • How do NPM and RubyGems relate?
    • NPM is very similar to RubyGems in that it is a place for developers to publish code that other developers can then freely download and use in their own projects. Similar to how we use ruby gems in a project, you can use npm modules in a project as dependents. npm install works pretty similarly to bundle though I've personally had way more issues with npm than bundle.
  • What is left-pad and why is it used?
    • left-pad is a package on npm that is 11 lines of code and is literally meant to pad out the left side of a string with zeros or spaces. I actually completely agree with the over-inflated arguments of the last blog post we read. Why on earth did people not just write this themselves? I get needing dependencies like bcrypt because it's a pain in the ass to write your own authentication system for users. But I don't like the idea of adding hundreds or thousands of dependencies just do pad a string.

Observing

  • Go through some past projects you've worked on and look through the gemfiles.
  • Pick three gems - try to pick a combination of obscure gems and ones you use on every project
  • List them with links to their Github repos here

quiet_assets

  • What does this Gem generally do?
    • It suppresses log messages from the Rails asset pipeline. So, especially when in development, if you are loading a bunch of different JS and SCSS files, you don't have to see a GET and Served asset message for every single one every time you refresh the page. This allows me to focus on the important messages instead.
  • When is the date of the last commit?
    • March 20, 2015
  • How many open issues does it have?
    • 9
  • Start looking around the source code
    • Link to one piece of code or a file you understand
      • quiet_assets.rb
      • There's actually only this one file and a test file so I didn't have a lot of code to choose from. However, what it looks like this part of the code is doing is seeing if the path info for the current environemtn matches any of the ASSETS_REGEX string (which is a list of assets to suppress in the logs) and if it does match, then it sets the logger level to error so they aren't usually displayed.
    • Link to one piece of code or a file you don't understand at all?'
      • quiet_assets.rb
      • I assume this is somehow hooking into the low level Rails driver, but I haven't actually seem something inherit directly from ::Rails::Engine before.
  • Does it seem reasonable to add this dependency into your code?
    • It's simple but I like it. It doesn't affect anything except for the logging and I usually only put it in my development environment so I can still see everything that gets logged in production. I sure would not have come up with this code myself. However, it looks like there's an issue open about Rails 5 which references Rails.logger.silence as a new method that can be used as a replacement for this in future versions of Rails.

capybara

  • What does this Gem generally do?
    • Allows you to use some easy to understand keywords when writing feature tests in Rails to simulate how a user would actually interact with a website.
  • When is the date of the last commit?
    • 6 days ago
  • How many open issues does it have?
    • 21 (but some have been open since 2014)
  • Start looking around the source code
    • Link to one piece of code or a file you understand
      • base_query.rb
      • This is a simple snippet that checks the @options hash for the key ':wait' and if it exists, either grab what it is or the number 0, or if it doesn't exist, then just use the default Capybara maximum wait time.
    • Link to one piece of code or a file you don't understand at all?
      • driver.rb
      • I haven't ever seen a at_exit do block before so I looked it up here. It looks like it converts the entire block to a Proc and then runs it when the program is terminated. I guess I don't really understand what this is being used for in the code and why it's necessary.
  • Does it seem reasonable to add this dependency into your code?
    • I think so. I've talked to people from various companies who all seem to use capybara. I know Rails/RSpec has some native support for some of the capybara features but I think capybara extends them and makes them a little more readable.

uglifier

  • What does this Gem generally do?

  • When is the date of the last commit?

    • March 22, 2016

  • How many open issues does it have?

    • 4, and one of them is from 2013.

  • Start looking around the source code

    • Link to one piece of code or a file you understand
      • uglifier.rb
      • Sets the options for the comments based on what the user has. For example, they might have set up to use jsdoc or copyright. It's based on the block below 'comment_setting' that gets the specified info from the @options hash.
    • Link to one piece of code or a file you don't understand at all?
      • split.js
      • It's not even that I don't understand, it's just WHY DIDN'T THEY BREAK THIS INTO MULTIPLE FUNCTIONS? This looks like code I used to write before coming back to turing. A lot of lines of code, a shit load of nested statements, and a bunch of comments to attempt to explain what I was trying to do because it isn't apparent at all.

  • Does it seem reasonable to add this dependency into your code?

    • I'm actually not sure. I think the asset pipeline does this and I don't know if it just uses Uglifier behind the scenes or what. Based on the way they say to use it, I don't think I'm actually using it in a project.

  • What are some factors you consider when adding dependencies to your projects?

    • Do I actually need this? Is it something simple enough that I can write myself? How well maintained does the code seem? If it's been 5 years since the last commit and there's a ton of issues open, I generally look for an alternative.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment