"A little copying is better than a little dependency." Rob Pike - Go Proverbs

My old boss had one of those micro thingy's.... at least thats what his wife told me one time at a Christmas party. I wonder why she shared that with me anyway?

This is why I just take code from npm micro libraries and just "borrow" it into my codebase. Most of these stuff are just single file crap that can be "borrowed politely".

Back when I wrote mission critical software for health care, most products that could potentially kill a person, no external libraries (not even libc) were used. Since you also had to prove it to be correct. Which made development slow at times, but also fun because you got to do those lowlevel things.

I can’t be expected to write custom string padding at every company. I’m a backend engineer, not a string engineer.

Prime: "Flip you are gonna have a hard time editing this" Flip: "No problem. I just leave it all in anyway"

I don't get why Prime is bashing regex. CrowdStrike uses regex, so obviously it is professional grade.

Omg, the ansi color thing. I literally just saved 6-7 consts for the escape codes for common colors to my utils library and I don't think I ever needed the colors library again.

Your video on sysadmins, network admins, Linux, or Bash would make my day!

I remember npm before they fixed the directory nightmare on Windows. "Screw Windows users for npm having more than 255 folder paths due to node_modules dependencies". Where I stood on that is "okay, if there's a bug in that directory nightmare, how in the hell can I find it?"

This is also a huge problem in Cargo. Recently debian said that Rust programs are unmaintainable for stable releases because they have way too many micro-dependencies.

"Maybe compile errors were the friends we made along the way." How DARE you, Prime! Take that back!

My question is, why do people even use these in the first place? The only time I even go look for a library for something is when that something would take a ton of time to figure out or do myself.

Suggestion: you should write trivial generalised helper functions in one little .js file and import is as a dependancy from yourself, just copy paste the file into your project, imort it where needed, and list it as part of the compilation process or whatever you're doing. Basically have your internal/personal/prprietary "package" to import helper functions.

Re: GDPR and package managers. I would hope that the license provided on the package would essentially supersede GDPR. Though I also feel like there is a massive difference between giving a company some PII, and publishing something that contains PII. Like, can an author unpublish a book because it has their name on it? That would be pretty silly. So I would bet that packages don't count, since they are something you are actively publishing in a public way, making the giving out of PII explicitly something YOU are choosing to do. But even if that's not the case, I would think anything you attached an irrevocable license to wouldn't count anymore. If your name is part of the code that you have licensed, you can't just take it back.

23:13 Flip took it out but we skipped so much of the article 😭

My biggest bottleneck is listening to my IDE suggesting changes in code that hasn't been touched in years. It's very distracting and so satisfying. Then I need to stash it all and actually focus on my feature

We've been doing this at work on a small scale. First we build out features, then after sometime we move the most stable dependencies into our own repo. We vet all our dependencies and the biggest fight is with frontend folks who don't understand the risk. We are in cyber security space and deal with multiple US govt agencies as clients

I just had to do this on a new API client. The old one wasn't updated for six years and had tons of random dependencies. Got it down to three. Went from 50 vulnerabilities to 0.

"Afraif that they won'y be able to understand how things work" -- this is my main reason to NOT use libraries :)

34:12 this is very true, I always get this sentiment from colleagues that they think I am very very smart. What they don't understand is all I did was to learn of things in a very unhealthy amount of time outside work hour like working on my own projects.

Writing your thoughts down whether it's in pictures or code, reduces your mental load. You no longer have to keep track of all those things in your head while working. Starting from a simple program and move it towards a complex one is iteration. This is how progress is made. It's a great way to break down work into managable steps. You don't climb Mt. Everest on your first day of Mountain climbing.

Yeah, too many people include stuff that is too small to not have been written by themselves. As for drawing... while i like whiteboards and UML, i mostly find it useful if I'm throwing around ideas as "black boxes" and I'm not sure how many there are or how they will connect. That and working on things where there's a "spatial relationship" of sorts. It's more of a "ordering modules" than a "what this does" thing.

It is interesting to see that JS and Rust people are realizing that they need to move away from micro-libraries, which are the inevitable consequences of easy to use package managers like npm and cargo, while so many people on r/cpp complain about the current state of C++ package management and demand the C++ standard committee to focus more on the language tooling and to provide something similar to npm & cargo. I wonder what would be the better middle ground for both extremes?

I have this conversation with coworkers all the time. Regardless what you think about Microsoft and C#, this is why the official c# nuget packages are so good.

"the only difference between me and you is I'm a workaholic"

I think many things would be fixed, if libraries were just ment to be mirrored locally in a local repo, so that the internet going down or a change in a library (malicious or not) does not affect any build process at all unless you decide to sync your local repo to this new version.

In c++ we have the concept of a header only library which means "just copy it" is the intended package management.

I was doing some fancy shenanigans with a rust crate for encryption and found that there was a bug that happened when the library was compiled for webassembly. Basically it ran in an infinite loop when I ran some of the encryption functions. To find the source of the bug, I started to make it log the value of the variables during each of the loop steps when I ran that function. Eventually I got to the part where it was logging the same variable value in an infinite loop. What caused the bug was combination of two decisions, doing a manual loop with a "while" and a "break" statement for when a condition was true, and using the "#inline" macro. Somehow, in that specific implementation, when compiled as webassembly, caused the compiler to think that the condition variable was a constant when inlining the function. The optimizer would then incorrectly remove the code that would increment that counter, causing the infinite loop. A bug that only happens when compiled to wasm32-unknown-unknown. My solution was simply to change the "#[inline]" to "#[inline(never)]". Such a convoluted bug right? I had to make changes to the dependencies of that crate, manually git clone them, change the source from "crates.io" to my local package, then test the changes, which had to be done manually by starting a server with the website loading the wasm file and running it. If the project had dozens or hundreds of little dependencies doing small things, I wouldn't have been able to find such a bug. Lets keep dependencies to a minimum. Extra: for some extra detail. The "inline" macro in Rust suggests the compiler to pick the code that is inside a function, and put that code replacing where the function was called. This can help reduce the output compiled code. Using "inline(never)", means telling the compiler to never inline the function no matter what.

Micro-libraries make it hard to learn; Sometimes I just skim through Github repos to see how other people tackle something. But some stuff like rust cargo, include or directory maze to try to find wtf it did is annoying. Sometimes you dont even know without you getting the same package managers F it, its so BS. Its easier to get blasted on a code review or w/e soy just writing it yourself. No F-ing WAY they'd bother looking at the dependencies and just 👍looks good👍

16:00 I remember that one belarussian website that was collecting evidence against russians, and the dev of some package added a script that nukes the entire computer it google detects its IP as russian. Several terabytes of painstakingly collected data, gone, from every server at once.

01:02 I remember the first time I saw the String Cheese Incident. It was in 2004 in Ann Arbor, MI at the Hill Auditorium. Good times. Good memories.

Or you could go the PHP route and have a proper standard library and not need a huge ecosystem of functions. Things almost every dev needs should be included to avoid duplication and promote SAFE, PERFORMANT, ERROR FREE, code. I would go as far as putting anything in most frameworks into the standard, which is kind of what the big SDKs do. It allows the entire community to work on making the best code possible for what is essentially 99.99% the same. ie. networking, DB, I/O, text, UI, image editing, caching, email, rendering, etc. is all the same, so include it from the start.

I studied CS in university some twenty years ago and I was slightly disappointed that the first course of programming had virtually nothing than some string manipulation and such. (At that point I had over 10 years of hobbyist programming experience already, including some 3d graphics in assembly and what not.) Now I kind of understand how valuable all that simple string manipulation can be in this god forbidden industry.

I think all of these articles about micro libraries lack an analysis of THE root cause for micro libraries: A lackluster standard library. That's what started all this. JS in the browser basically had no standard library. What is a standard library but a collection of micro libraries? It's entirely rational that people didn't want to recreate or maintain an ENTIRE SELF MADE standard library for every little website with fancy buttons. Many of these web developers went on to other languages, but sort of kept their way of thinking from JS. So they'd reach for micro libraries, instead of checking standard libraries for things that do what they need. If you think that the web devs doing that are just obviously bad developers, I BEG you to honestly ask yourself: If you needed to create the 10th fancy business website on a strict deadline, and needed to support a few different browsers, would you really recreate ALMOST ALL standard library functions you're used to in "good" languages?

about quality of 3rd party libraries: about a year ago needed to do cosinor (generalized linear model), but the only python package i found for that was about 2k lines, and it was insanely bad. the inputs were data frames, the outputs were dataframes, functions were printing some math gibberish when running, and of course there were no type annotations or docs. crazy what kind of packages people put out there. my implementation took ~ 200 lines and 3-4 hours, but i've wasted an equal amount of time on trying to make that library work.

Labelling things learned in some kind of personal code base is my favorite way of really understanding it over time.

It feels like js has too many libraries, C/C++ have no universal package manager and it seems even devs don't want to have one, then there's C# and Java, I haven't heard of problems with these languages' package managers

That ending of the article really is lovely. i concurr.

js ecosystem is inherently cursed. I recently made a plugin that does some preprocessor magic. The code takes maybe 500 lines to implement, but to make it compatible with all the bespoke syntax of js frameworks and all the different build tools you quickly end up with an enormous dependency count and thousands of lines of code. And then you can choose to either ship the entire package as a monolith and bloat node_modules, or split it into several smaller interdependent packages and make things more complex and fragile in the process. Both options are bad, the only solution is going back to no-build js but that's realistically never going to happen.

I kept thinking you were talking about Cheddar Bob, from 8-Mile… the first movie from the MCU.

The left-pad incident 😂😂😂

ANSI codes were pretty cool with BBS’s streaming menus, login screens, and animations. I wrote a little helper utility to color my console, but I think most people use color utils.

"you don't even need to be smart" 😂

One of my first projects in C++ was a terminal-based CRPG, and yea ANSI codes are extremely easy to learn. I think more people should have projects like this early in their programming journey. The hard part was getting the terminal to play along. Windows does enjoy being Windows, and figuring out what works and what doesn't (and thus would need a workaround) was nontrivial.

color in the console is so easy in c++.... made a first principles chat client and server back in 2007 in pure ansi console bs. ended up writing an output parser class and macro overwriting cout to avoid major refactoring when I added rich and colored text.

Split is probably among to top 3 most used functions in Advent of Code for input transformations.

The issues with packages also depend on which language you are working in. Javascript with npm: atrocious. PHP + Composer: some small nitpicks, but very stable. Then again with php you sometimes you have to think of which PHP extensions you need.

Love the T2 shoutout at the end.

When accounting for saving development time, it’s worth realizing that having an external dependency adds a sort of latency for people checking what a function or constant is when reading through code

Regarding LeftPad, why don’t people pull in and distribute the packages that they depend on? You deliver a product, be responsible for it.

I love that conclusion: "You are better than you thiink."

One valuable skill for SWE is writing datastructures and algorithms. That's why every cs 101 is putting you through a datastructure course. It's not just for culture or knowing basic datastructures but for you to feel confortable implementing some of them if you ever need to. One day you might need to write an optimized hashmap/graph/vector/tree for your use case, that's why you need to know how it works.

Not a problem for C++, since linking 3rd party libraries takes more effort, than writing them yourself.

What I learned is that when you have an issue with your largely used NPM package like left-pad: Remove all previous versions, then make your package bugs version by version and continue to remove older versions...

libraries often have gone through the effort of working out a good abstraction which might not be obvious from the get go. This may be "less development time", but its also possible you'd never have come up with that abstraction because you just don't have the time and experience.

23:46 this with the Sum function, is why we should never ever ever use languages with namespaces, if you can't import you stuff as a named thing so you can follow it all the way back, you should not use the language, like c# you can shadowing of stuff, if they got the same name/parameters you can build it and it pick the first one and build it again and it is the other one. Namespaces is for making bugs you can't see and use a lot of time on.

16:18 Can't wait to see this kind of rug pull some day

Right now I work for a company that seriously overuses libraries. It's mostly server-side code that runs on whatever machine we want on whatever version of node we want, and yet it's continuously littered daily with `_.get(this, 'property', myDefault)` and `_.filter(list, 'booleanProperty')` and I'm not exaggerating in the slightest. I take every opportunity I have to remove lodash from files, and I can only assume the people who keep writing it have no clue how to write if statements or use the various null coalescing features of javascript. More than 99% of the time it's a 1 line change and makes it shorter to write and easier to lint, and the other 1% it literally ends up catching bugs because someone typo'd the string or didn't understand what the function they used was doing and the entire line could just be deleted.

There is a minimum quality for something to be popular, but not to be published. Popular actually needs to work, and often uses better marketing and user friendly interactions. So it does mark a floor of quality, but thats about it

I have been programming professionally since I finished my comp.sci. degree in 1983. My approach to writing code is to just get your thoughts into syntax. Look at what you have done and think about how you could better express it. Iterate with your own code to explore ways to structure your solution. You will almost never get the structure right first time. Our brains are just too shit to do that.

I’ve recently come back to programming, and my current project is a powershell command line interface. I’ve written all of my own ansi color, style, and formatting code. And I was so far behind I might as have been a beginner again. No it isn’t hard. Plus, I typically hate many of the naming conventions a lot of dependencies in node, python, etc. choose for variables, functions, classes, etc. I prefer to just write it myself. Especially if it’s something that isn’t incredibly complex. You learn more that way, and you can truly customize things to be the way you want. I guess people don’t realize you can modularize your OWN code and reuse it. You don’t have to rely on dependencies. But that’s coming from a solo person like me. That becomes more of an issue I guess in very large teams. That said, I’m not entirely convinced having a 100 person dev team working on a project is always the “best” way, though it may be the more productive way.

Next, the letter A in a micropackage, the letter B in a micropackage, the letter C in a micropackage, and so on.

I do not use Cargo for the reason. BTW why does nobody write an article about - I started using one micro library, it worked well, and then the author of the library started adding more and more code in the library transferring it to a huge library. I stopped getting its updates. But some functionality I used from beginning got important updates. I needed these updates. My options 1. get the entire useless for me library, 2. manually incorporate the changes in the initial version I use. I ended with option 2. But I do not know if I did right. I need an article about.

GDPR does allow you to demand that your personal details are removed (with restrictions -- you cannot demand your tax records be deleted, for instance), but there is also an exclusion on the grounds of "technically required". I don't think anyone has tested the scenario you describe in a court of law at the time of recording, so it's hard to say where "technically required" ends...

Babel is a transpiler that transitioned into a compiler, hence it is a transcompiler.

What broke at 36:28?

What if instead of “random peoples packages on the internet” you still share micropackages across your projects but they’re your own packages self hosted on verdaccio?

The GPL thing doesn't just apply for copy pasted code, it also applies if you just use the library. LGPL is different.

The first time I ran into issues with JS and data types I got very strict with my data types which has been very valuable in my career. Then there are other people who run into JS's fluid handling of datatypes and just try to make more accommodations for their inability to do things properly. PHP is the same way. Up until about PHP 8 you could be very sloppy. If you spent your entire career being sloppy, PHP 8 is a nightmare. If you wrote your code correctly prior to PHP 8, PHP 8 won't start throwing errors at you.

22:17 looking at source code of is-number, it also tests for number-like strings like isNumber("0o123") is true, so benefit list not correct

A trans-compiler is an interpreter that identifies as a compiler.

A *library* only makes sense to me as more than one book. 😂

I don't understand why a lot of things aren't built into the language itself.

The problem with these stupid little packages is I have to trust someone who makes functionality I do need and can't spend the time making didn't also use it. I have an NPM project that has 28 dependencies (which I'm sure I can prune a few), but it blows up into needing ~630 packages. Why.

I think I might make it a rule that if I use a library I will wrap it into my own api, this way I can change it out or write the implementation myself once the POC is done. I guess it sounds like common sense, particularly with db engines and such, but who actually does this for general lib code? (as a rule that is)

You can just download the library one time and lock it in to the version you need. People are too addicted to having the latest versions of minor things. If it is a micro library, it's something you can bake and forget.

3:23 Such a missed opportunity. It's the Micro Package Problem, so Micro PP. EDIT: 3:50 : I belong in chat with the other degenerates of my kind. :-)

We just version lock micro-packages and it works fine haha ¯⁠\⁠_⁠(⁠ツ⁠)⁠_⁠/⁠¯

Well, 'empty' angular/ionic project has over 500 MB, 44 THOUSAND files, and most of these sit inside node_modules directory. Not to mention tons of critical security warnings you see when running npm (and apparently you suppose to just ignore them because this combo is a non-standard use case of node, but no one tells you that upfront so you are wasting hours trying to fix these 'non-issues' and get different messages after each update). This is beyond ridiculous.

I bombed my first and only programming interview. Just wanted to vent a little. I realize I need to practice more.

I've never seen this "micro dependency" issue, other than the famous left-pad (which I never used before I only heard if it). I guess it's because I build my own sh1t first with what I have in hand

I'd say "You can get updates..." is a borderline malicious argument. I want to believe.

Is this still a problem anymore? Whilst the article was well written, it basically just rehashed everything we already jotted down after the left-pad incident. Those that are going to install these util libs are going to continue to do so and the rest of us have learned. Pretty much every year someone rehashes these same learning from 8 years ago and writes an article on it.

Took me over a week to set up my new laptop for work, because npm is hell.

ANSI escape codes my beloved

My favourite thing about this is the malicious compliance energy it brings on such a massive scale. As we know, a worker goes maliciously compliant, it can really hurt your business... Machines.. always maliciously compliant. You change a name, the machine is like that worn out worker who is like... business decision, fine, sure, let's change it... see what happens... just asks you if you are sure once and then says nothing as the world around you collapses in on itself like a black hole swallowing all the light until all that is left is the crushed spirits of the person who pressed okay... Oh things are fine? What do you mean third parties are all going offline? Roh-oh

Copilot and similar tools should hopefully remove those microlibraries. They should be more than capable to write the code in most micro libraries like left-pad for you faster than you can include the library in your project.

isNumber: last release 2018; weekly downloads: 74m!

38:00 It is funny, because right now i am in a situation where i have to literally draw things out, as i attempt to create some DB model for a node editor that has customizable nodes Literally having one "node" table, a "node definition" table and some sub stuff that then tells how the node is supposed to look and work (eg. manual interactions, conditions, fully automatic forwarding for simple branching, halting, ...) normally, i code theese things out ... here tho, i have to actually make things in a way that work in a graphical editor

meanwhile ljharb adding 16MB of his own stuff to traverse in a single update adding 66 packages and taking 2 seconds to npm install, causing about 25 Terabytes of traffic per week with npm installs alone. at least it supports node 0.4 now i guess. (15MB * ~1.6 million downloads last week)

NaN is typeof Number. The correct code would have at least three checks: is it typeof Number, is it not NaN, is it Finite. Still not worth a package but js is stupid so most of these simple packages actually do more than it looks like on the tin.

And is it ok for non trivial scenarios? So if that happens for that it could take days, weeks, months… we’re doomed (? .

The issue is that these micro packages are part of other packages you don't even know about

Maybe some shadcn for npm packages? Packages with just a few lines of code or simple enough implementations can just be copy pasted 🙃

13:40 3rd party code is risky, "the more complex the library" ... more mistakes... "large footprint" That would be an argument for micro libraries and not against them. That's an argument against large libraries, frameworks. I think most of these arguments are against npm package management and not against micro libraries. You could just download the (micro) libraries into your workspace and commit them into your source code repo (including their licenses and maybe an update script). No more silent supply chain attacks (you would need to manually update, download, overwrite, then review and commit changes). Everyone loves jquery until your 1 kB webpage loads 100kB unnecessary javascript. Sometimes micro is better. (Though it might be easier to start developing using an all in one library or framework.)

also for beginners it will help avoid the problem of getting an error on line 365, (its in a dependency but beginners tend to not realize) when your code is only 20 lines xd

I still believe there are many small utility libraries which are meant to reused by the dev themselve but since private npm packages cost money they just publish one

Hate how he consistently selects sentences of text while missing the first and last character. Love u Primagen tho

So how about a single library that contains all the other micro-libraries?