NPM and left-pad: have we forgotten how to program?

Original author: David Haney
  • Transfer
Posted by David Haney , Stack Overflow Lead Software Engineer

So, developers, time for a serious conversation. You probably already know that this week React, Babel and a bunch of other popular NPM packages have broken. The reason is pretty amazing.

A simple NPM package called left-pad was installed as a dependency in React, Babel, and other packages. The module, which at the time of writing this post, has 11 stars on Github (now 323 - approx.per). The whole package consists of 11 simple lines that implement the primitive function of inserting spaces on the left side of lines. If any of the links ever die, here is his code:

module.exports = leftpad;
function leftpad (str, len, ch) {
  str = String(str);
  var i = -1;
  if (!ch && ch !== 0) ch = ' ';
  len = len - str.length;
  while (++i < len) {
    str = ch + str;
  }
  return str;
}
What bothers me is the sheer number of packages where the dependency on the simple function of padding the string with spaces is established, instead of spending 2 minutes writing this basic function yourself.

Learning about the disaster that happened due to the left-pad, I began to explore the NPM ecosystem. And here is what I found, among other things:

  • There is a package called isArray , which is downloaded 880,000 times a day, 18 million downloads in February 2016. It has 72 dependent NPM packages . And here is his whole 1 line of code :
    return toString.call(arr) == '[object Array]';
  • There is a package called is-positive-integer ( GitHub ), which consists of 4 lines and which yesterday needed 3 other packages to work. The author has since refactored, so now the package has 0 dependencies, but I can’t understand why this was not done right away.
  • Fresh Babel installation includes 41,000 files
  • A clean jspm / npm application template starts with 28,000+ files

All this makes us ask a question ...

Have we forgotten how to program?


In which of the parallel worlds are the above solutions the best? How can hundreds of dependencies and 28,000 files for an empty template be called anything but excessive complexity and insanity?

It seems that members of the NPM ecosystem have grown a mic-packet fetish. Instead of writing any function or code, they seem to prefer to set the dependency on something written by someone else. It seems to me that all the work of a programmer in the NPM ecosystem comes down to writing as little code as possible, to link existing libraries together, to create something new, functioning in a unique way for personal or commercial needs.

Functions Are Not Packages


Functions are too small to get into the package and dependency. Pure functions have no connection; these are random pieces of code and nothing more. Who needs cosine dependency? Instead, we would really like the dependency on the trigonometry package, which covers many tricky functions that we don’t want to write ourselves. This is much more similar to how .NET and other frameworks create a core library with basic functionality. Such a library is verified by the creators of the language and has a significantly guaranteed reliability, with no bugs.

Third party problem


There is absolutely no guarantee that something written by someone else will work correctly or even work fine. Even if everything is correct, is this the best way to solve the problem? At least when you write the code yourself, you can easily change it, fix bugs, and increase efficiency. There should not be particularly many bugs in a function from 1 line.

Secondly, even if the logic in the package is correct, it amazes me that the developers install dependencies on single-line functions, which they themselves must be able to write with their eyes closed. If you can’t write the left-pad, is-positive-integer or isArray function in five minutes (including time to search on Google), then you don’t know how to program. Hell, any of them can be a good question at the interview as a test to see if the candidate is able to program.

After all, binding together different APIs is not programming. This is some kind of crazy form of dependency hacking, which includes clouds and code overload and complexities that are not really needed.

To make matters worse, if there is a bug in your code or in the code of a third-party library, or the code does not work correctly, then you will not know how to debug or fix it if you cannot program.

Struggle to reduce dependencies


Each package added adds another dependency to your project. Dependencies, essentially the word, are what you need for the code to work. The more dependencies, the more points of failure you have. Not to mention the greater likelihood of a mistake: did you check any of those programmers who wrote these functions that you depend on daily?

Accept the dependency for any complex functionality that is very long and expensive to implement yourself. Things like a database access level (ORM) or a caching client need to be installed as dependencies, because they are complex and the risk of dependency pays off in cost and efficiency.

But please, for the love of everything that programming is, write your own damned basic functions yourself. Putting dependencies on single-line packages is generally crazy. Do not believe? Just ask React developers how their week went, and whether they regret that they themselves did not write those 11 lines for filling the line with spaces on the left.

Also popular now: