DEV Community

Discussion on: NPM hot-takes and the pitfalls of trivialization

remotesynth profile image
Brian Rinaldi • Edited on

you seem to imply that bigger libraries are favorable because... well I'm not sure what your justification is. I'm pretty sure you're not either.

Hmmm.. Was I in any way this condescending in my comment? I don't think so.

Moving past that though, I was stating that the argument you rebut does not actually make the case you are rebutting (i.e. that trivial packages are not of value simply because they are trivial). Personally, I think his security concern is slightly overblown. However, I also feel that developers tend to add libraries without being aware of what is in them (or what is in the dependencies of their dependencies and so forth) - in which case they do open themselves up to potential security risks. It might be trivial to audit a trivial dependency, but that doesn't mean most developers are actually doing the auditing. I do think the danger is there that developers unintentionally install something malicious simply out of a complete lack of awareness rather than as a patch to a trivial dependency (which is what he argues).

I also think the triviality of things like is-odd makes it a needless dependency. If you don't want to write it yourself, why not take the 4 lines of code (and tests) and pop it into a utility library of some sort? This isn't really a maintenance issue - the code for a function of this sort is unlikely to ever change. It's not like you're missing out on some important update to how odd numbers are determined. This removes both the risk of installing a trivial library that you probably aren't auditing while also removing the risk of breaking due to the dependency being removed. Are both those risks trivial? Perhaps, but so is the code.

Thread Thread
dubyabrian profile image
W. Brian Gourlie Author • Edited on

Was I in any way this condescending in my comment? I don't think so.

I certainly perceived as much. This article was sparked by a comment I read, and you seemed to take issue with the fact that I wasn't addressing the the article that the comment was in response to. I happen to disagree with the article as well, but that's not what I was addressing.

Again, your issue seems to be with the inherent trust we as developers place in the open source libraries we consume. This is not specific to NPM, or trivial libraries, it's inherent to open-source development. If this particular issue is something you feel strongly about, I suggest you write a post about it.

Thread Thread
remotesynth profile image
Brian Rinaldi

I didn't intend it to be condescending. So I apologize if you perceived it that way. I did think the context of the comment, especially given that it's author was being intentionally abrasive (he even admits to "going there") was important since it gave a potential misconception that the article it responded to made that sort of exclusionary argument (i.e. the "you're not a real developer unless..." type of argument) about trivial libraries.

Finally, I, in no way, made the case that developers should be broadly distrusting of open source. You generalize my argument. There is a risk/reward balance and the risk isn't just malicious code - it could also be that a removed or broken dependency breaks my build, which may or may not be a simple fix. In my view, the risk for a trivial dependency does not outweigh the reward. In your view, it does.