
NPM and the future of JavaScript - dberhane
https://slides.com/seldo/npm-future-of-javascript#/
======
chatmasta
What an arrogant presentation...

1) “npm is the best at x, y, z” with no data to back the assertion or attempt
to address the many counter arguments

2) we just released a bunch of brand new security code! So it must be secure!

3) everyone is using npm, that must mean it’s the best, and not that technical
debt is forcing the choice on everyone

4) everybody in the audience stand up and sit down when I say

Jeez

~~~
ficklepickle
1) I saw the presentation, there was more info. These are just the slides.

2) he went over the specific security features. They really are improving
things. NPM 6 has a bunch of very reasonable new security features.

3) he never said they were the best. He was actually fairly down to earth. He
attributed npms speed increase to code sharing and working together with other
package managers.

4) this was to keep everyone awake after 20 minutes of charts. It was a gag.

It really was a good presentation. Hopefully the video is publically available
at some point.

------
royjacobs
After the Nth time in which npm failed to install correctly (incorrect package
resolution and even an occasional stack overflow exception) we moved to yarn
and never looked back.

It's amazing to me that npm, which has been around for quite a while, still
manages to be so broken. I normally try to give developers the benefit of the
doubt, but i really believe the frontend world is worse off because of npm.

------
0xfeba
NPM and Yarn have made a nightmare out of our project. We have 50 direct
dependencies. The lockfiles only lock your direct dependencies, any transitive
ones can change at any moment, making our CI builds fail when something works
locally. And they don't actually check integrity -- that v1.5.0 of ABC is the
same as v1.5.0 from a month ago.

I saw Yarn added last month a hash of the (hopefully) source of the
dependencies -- that's what we need.

Despite using lockfiles, some transitive dependency changed and we decided it
was best to upgrade the direct dependency, requiring a big refactor. The
alternative was to fork the library and maintain it ourselves -- which I am
refusing to do from this point on. We have about 10 forked 3rd party
libraries. No more.

I feel like I spend 30% of my time just trying to upgrade/maintain the current
builds because some stupid loosely semver'd dependency changes, rather than
writing new features.

~~~
acemarke
That sounds odd. The whole point of lockfiles is that they _do_ lock your
transitive dependencies.

~~~
0xfeba
Yeah, I know, but we still have CI builds fail that work locally -- until you
rm -rf node_modules and install again using the lockfile. The recent addition
of hashing seems to be in response to my issues -- I am trying that out now.

~~~
rbrcurtis
Always use a clean workspace.

------
valw
> The best framework is always the one with the most users.

What???

~~~
hateful
I think some of the slides were meant to go with a presentation and were meant
to be sarcastic/snarky.

------
crooked-v
The key things that got my team to switch to Yarn were (a) the lockfiles
didn't keep changing formats when running installs and (b) workspaces for
monorepos.

------
zallarak
I have terrible memories of npm install on the caltrain, with tethered wifi.

------
Hansi
I'm a bit of a outsider looking in being a manager that doesn't code much
anymore but why the dislike of Typescript? I really don't see the downside.
Transpiling doesn't make it 1:1 anymore but all devs seem to praise it.

~~~
thrower123
Everybody babels anyway, so fussing about compiling[1] typescript is asinine.

[1] transpile is also a stupid word. It's a compiler, at least as much as
javac is, or ghc when it used to spit out C code that then went through gcc.

~~~
jazoom
I don't transpile my NodeJS code. I don't feel that makes me asinine.

------
tashoecraft
Slightly misleading to say Angular is in decline when you group Angular 1 and
2+ together.

~~~
evv
I understand that Angular as we know it today is basically a total re-do of
AngularJS (v1), but I'm curious, how is it misleading to group them together
when comparing to other frameworks?

~~~
IggleSniggle
New Angular is more like Vue than it is like AngularJS (v1). Old AngularJS and
Angular 2+ are very, very different. For that reason, many popular AngularJS
(v1) apps have not yet updated (and probably never will without a total
rewrite).

~~~
evv
So, if a lot of the Angular decline is due to people migrating off of v1, and
v2 isn't gaining in popularity as fast, is it really misleading to say that
Angular is in decline? To me it seems that tons of Angular 1/2+ users are
adopting Vue instead.

~~~
IggleSniggle
I was just answering the question of why it is misleading to group them
together.

The frameworks are radically different and the install base is likely very
different as well. If AngularJS (v1) was growing in popularity it wouldn’t
really tell you anything about Angular (v2+), in the same way that the fact
that Ember seeing a slow and steady growth doesn’t tell you anything about
Angular (v2+). They’re different frameworks with dramatically different
conventions and install bases. If AngularJS AND Angular were both losing
popularity, it would still be misleading to group them together as “Angular.”
They’re just not the same thing.

Choosing to name the newer framework was, in retrospect, an extremely poor
choice, especially since it alienated all AngularJS users since there was no
good migration path at the time and everything was so different; it _might_
have made some sort of marketing sense in the pre-React/Vue world that Angular
(v2+) began its life in.

------
bitwize
"JavaScript is the most important programming language in the world."

Either that statement is false, in which case the JS community really is that
insular and arrogant -- or it's true, which is probably even worse.

Either way, this assertion scares me.

~~~
lonalzarus
I know it's fashionable and popular to hate on JS. No matter what your
objections are, if you are frightened of it, you should be scared. It's
running in almost any modern device you own, and a decent chunk of services
serving those devices. Even everybody decides to switch to WASM/Go/Python and
leave JS in the dust, it'll still zombie on for a good long time. See: PHP.

~~~
LaGrange
> I know it's fashionable and popular to hate on JS.

I've been in the industry for almost 20 years now. I do not remember a time
when it wasn't popular to hate JS. If it's a fashion, it's a fashion that
literally crossed millennia.

~~~
crimsonalucard
It was always hated from my experience. It was a flawed language designed in 3
days. There's more people who love it now then before. It's mostly from
beginners who learn it at bootcamp as their first/only language.

~~~
lostcolony
I know Java, Erlang, C/C++, Ruby, Python, Javascript, have dabbled in Scala,
Haskell, PHP, Perl, and Racket. Of these, Javascript was actually the last I
learned and used professionally.

I like Javascript. I hate DOM manipulations in the browser, and browser based
differences, but Node on the backend is generally a pleasure to work with, and
far, -far- better than most of the languages and ecosystems I've had to deal
with. I prefer Erlang (well, and Elixir) for larger projects with complex
concurrency/distribution/fault tolerance requirements.

Yes, Javascript was always hated. It certainly has some WTF elements to it
that deserve some hatred. But for a straightforward, easy to learn, get things
done language that doesn't lead to a lot of bloat, doesn't force you to be
concerned with things you shouldn't have to be concerned with, etc, it's
actually pretty solid, and I suspect a lot of the hatred has to do with the
argh of the browser, in which no language will help you.

~~~
gambler
_> I hate DOM manipulations in the browser_

What exactly is so difficult about DOM manipulation? I honestly don't get why
people see it as a problem that warrants zillion badly written frameworks,
while other critical language issues are pretty much ignored.

~~~
IggleSniggle
What’s difficult isn’t the DOM itself, it’s that you thread in and out of the
DOM with a changing DOM state and with multiple people writing application
code. Many of the frameworks / packagers exist to help tame the context
switching, since in frontend land you might have business logic that is
dependent on a CSS class that may or may not be present at any given moment
and might be modified by some other piece of logic.

Everything in the DOM is basically a global variable, and any part of the app
might manipulate any part of the DOM.

Example: Someone wrote CSS that is coupled to a child element (which seemed
the clearest way to write it at the time) and someone else comes along to edit
the content of the HTML which adds a layer and now your logic is broken even
if the CSS still looks right. The frameworks make it easier to avoid that kind
of fragile coupling / enforce a consistent way to manage the interaction of
JS, CSS, and HTML.

All that said, web applications really are an entirely different beast than
websites, even if they exist on a spectrum.

~~~
lostcolony
Yep. In any shared development context (or even solo but trying to ensure
proper containment of component structure, logic, and design rather than just
one ugly hodgepodge), there is no good solution without a framework. And
because literally everyone runs into that problem, everyone has created their
own framework, which is why there's so many of them.

But none of that is an issue on the backend, where there's no DOM
considerations. No HTML or CSS either. Just Javascript. And there it's
straightforward, succinct, and usually easily understood (usual caveat of bad
developers, but compare average Node codebases with average Java codebases).

------
magicbuzz
“Transpiling is a code smell” - what is the thinking behind this statement?

------
k__
lol, what are the Yarn devs saying about this? :D

~~~
KenanSulayman
Created an issue over at the Yarn repository:
[https://github.com/yarnpkg/yarn/issues/6538](https://github.com/yarnpkg/yarn/issues/6538)

------
wishinghand
I can't tell from the slides, are the ill-advised recommendations a tongue-in-
cheek title or are they serious?

~~~
jessaustin
ISTM they are more like predictions, with the "advice" just being "do what
everyone else is doing". YMMV.

------
ravenstine
It's this kind of Kool-aid swallowing of React that has kept me away from it.
I don't care how great of a tool it is.

To paraphrase the last 8th of the presentation:

\- Use React.

\- If we all just use React, React will live _forever_.

\- React is better because users.

So much of the rhetoric around React is disturbingly cultish.

------
techntoke
JavaScript appears to have been primarily created to spy on users. I don't
need every website to take over the presentation of content. Information
shouldn't be coupled with design to limit choice. I'm ready for a new browser
that uses a more modern markup format.

------
exitcode00
Javascript is a cancer. But I guess if you can't beat it, might as well learn
to love the cancer?

~~~
sctb
You've been breaking the guidelines a lot, but we'd like to hear what you have
to say that isn't a flippant and vacuous dismissal, so could you please read
start following them?

[https://news.ycombinator.com/newsguidelines.html](https://news.ycombinator.com/newsguidelines.html)

~~~
exitcode00
I think its fairly well known that there are flaws in Javascript which was
designed in a week and hows its used (DOM etc). The ease of its use probably
lended to initial success, but the difficulty of making complex secure
software has led people to reinvent the wheel it seems every 6 months.

I don't think having a polluted and bloated ecosystem like NPM is a mark of a
success of quality. Just look at what happened when someone deleted their
project from NPM - they broke the internet...

[https://qz.com/646467/how-one-programmer-broke-the-
internet-...](https://qz.com/646467/how-one-programmer-broke-the-internet-by-
deleting-a-tiny-piece-of-code/)

~~~
sctb
That's quite beside the point. Just please don't post things that are
predictable, dumb, and mean.

~~~
exitcode00
That was my revised comment - I have seen the light : )

~~~
sctb
Ah! Now I have too.

