this post was submitted on 16 Mar 2024
52 points (100.0% liked)

TechTakes

1435 readers
97 users here now

Big brain tech dude got yet another clueless take over at HackerNews etc? Here's the place to vent. Orange site, VC foolishness, all welcome.

This is not debate club. Unless it’s amusing debate.

For actually-good tech, you want our NotAwfulTech community

founded 1 year ago
MODERATORS
 

Not entirely the usual fare, but i figured some here would appreciate it

I often rag on the js/node/npm ecosystem for being utter garbage, and this post is a quite a full demonstration of many of the shortcomings and outright total design failures present in that space

all 18 comments
sorted by: hot top controversial new old
[–] gerikson@awful.systems 12 points 8 months ago (2 children)

The commenters on HN and lobste.rs are generally on the side of the package creators, with the view that NPM is run by GitHub, who is owned by Microsoft. All this is true, but it doesn't follow from that that the NPM people are paid fuck-you money. I suspect they're understaffed, and overworked, and that this stunt didn't make them very happy.

Although in retrospect, not anticipating that some rando would try to depend on everything in the repository seems like a naive view on human nature.

[–] V0ldek@awful.systems 8 points 8 months ago* (last edited 8 months ago)
  1. If they are understaffed - Microsoft is trying to sell itself as OSS friendly, so they have absolutely zero excuse for not putting enough resources into something this load-bearing and this historically shitty.
  2. If they are well-funded, what the fuck is that money being spent on, ChatNPM?
  3. Npm was acquired by GitHub in 2020. It has been an utter dumpster fire for its entire history. Being acquired by Microsoft doesn't absolve you from having created the tool Satan the Lord of Hell will use to break the Seventh Seal and bring upon a thousand years of darkness upon humanity.
[–] froztbyte@awful.systems 6 points 8 months ago (1 children)

there's probably a few people trying this in every other language ritenao

guess we'll find out in a few weeks!

[–] Architeuthis@awful.systems 11 points 8 months ago (1 children)

An interesting read in general but the writers proclaiming themselves ethical hackers in the opening paragraph only to turn into wittle birthday boys as soon as it turned out their uh experiment caused major disruptions was mildly off putting.

[–] cwood@awful.systems 7 points 8 months ago (1 children)

A really good lesson on offline backups of things like issue trackers, though.

[–] froztbyte@awful.systems 8 points 8 months ago (1 children)

when I first did this for a project a couple of years ago, the github api endpoint for this sucked extremely bad. I no longer remember all the details but it was something like 3 different sets of things you had to get to make sure you had somewhat of a full picture. might be better these days. and even then it's still only the first piece in the puzzle

but yeah, by and large a rather extreme percentage of the modern industry is extremely dependent on a vary narrow scope of SPoFs, and may are clueless about how to even approach this. 2 decades of computer-renting, yay!

[–] V0ldek@awful.systems 4 points 8 months ago (1 children)

Okay, I might be brainfarting here, but... why is blocking _un_publishing such a big deal? I understand that it might be annoying, but this talks about it like it broke the fucking system, as if it was as important as actually publishing packages.

How often do people in JS world unpublish packages?

[–] froztbyte@awful.systems 5 points 8 months ago (1 children)

seems like a perfectly normal thing to do to me. maybe you uploaded it under the wrong account, or licensing change, or need to do a security- or danger-related retraction, or ...

hell, maybe you just changed your mind! that's allowed too! or should be

[–] V0ldek@awful.systems 4 points 8 months ago (1 children)

I totally get that it's a normal thing and it is a disruption of service, but it doesn't strike me as "everybody freak out".

If, say, Lemmy stopped you from deleting your comments for 24h few would even notice.

[–] earthquake@lemm.ee 6 points 8 months ago* (last edited 8 months ago)

I am guessing* that the "everybody freak out" part happened when the extent became evident and everyone realized all of npm was suddenly unpublishable, not so much because everyone individually freaked out individually immediately.

*extrapolating from the NPM community being described as frustrated but mostly forgiving.