damn, you didnt get to the funniest bit. The everything package uses the "require:*" or whatever is called from NPM, that requires every single version of the package. So no one can remove ANY version of their packages. I just love the existence of that feature to begin with...
The policy basically states that at any point you might not be able to unpublish anymore. The fact that people panicked over this just tells you how many people didn't understand the freedoms as an author they agreed to give up because of left-pad, npm stripping a package name from someone, and the overall js ecosystem where everything is a dependency, even things that shouldn't be.
@@mirsella6204 yea i suppose that's the price of having such a comprehensive package database. i was just wondering if there was any npm-esque event i missed in the AUR world.
@@carlpittenger there are lots of garbage packages and moderators don't really care. But it is not that important, you can simply ignore them as well. The worst case scenario is when a package you need is low quality or even broken. Most of the time you can reach an agreement with a maintainer though.
At some point for some reason the software industry just collectively decided that computing shouldn't be about computers - and also that it should be crazy. Then everyone overdelivered on the crazy.
For those curious, the total size of all NPM packages combined is 24TB. Total number of packages: 3.3 million. So it's almost doable, you just need to RAID some drives and have a very fast internet.
Why would you need RAID drives? That's too much work and npm doesn't deserve that. Just grab one 22TB and one 2 TB, JBOD or stripe them and ask the NPM maintainers to forbid the drives from failing.
In a way, the npm is a nice analogy for the Node.js community itself. Also, not allowing people to remove their packages will not prevent people from getting back at you by adding malicious code to their package as a way of protesting.
You can also depend on version '*', including any future versions, which further simplifies any package removal. 😂 I agree with you on go. Go does this better than pretty much any other ecosystem. And npm is right there at the bottom of the barrel.
I'd love to see the day some sort of malware spreads everywhere that just runs npm install everything if the host has node Aka how to crash the internet
Last time I had to work on a Node project I made a mapping in Vim to dispatch a command to tmux to blow away node_modules and reinstall, because this was needed so damn frequently.
There is a package called "everything-else", which depends on "everything", and that's why they couldn't unpublish "everything" to fix the issue. Interestingly, "everything-else" was published 9 years ago, according to npm.
Last I checked hosting your own registry is not exactly easy or straight forward. Has that part improved since 2019? That's when I last was using node.js professionally.
@@codeman99-dev I don't know about anything else but we use Nexus as our NPM package registry and it's pretty straight-forward and setup and forget kind of thing.
If "Head of Software *Supply Chain _Security_*" doesn't see an issue with relying your product on a free 3rd party site to begin with, then software development as an industry has much bigger problems.
Why would you upload a package to NPM with the explicit plan to unpublish it?? How can you be so sure that a normal developer doesn't reference your package in the meantime? It doesn't need the 'everything package' for this problem to occur.
Today I ran into a brand new npm problem that drove me crazy! Part of it is my mistake, but I put an install step inside of my Azure AppService for a nest app. I was hitting the soft open file descriptor limit in the docker container, which led to random files inside of node_modules being only partially written to, and runtime syntax errors. Really annoying
10:18 regarding git tags, there is nothing preventing you from deleting git tags in your own repository to change code to something malicious, so it suffers from the same issue, no?
since tag refer to commit hash, it's pretty trivial to spot the problem by comparing commit hashes of local cache vs origin source. Go did something similar, publicly you refer to tag (or other human-friendly signifier) in go.mod but internally it kept track of which version of code it pulled under go.sum. If nefarious party do tag replacement, the checksum won't match and either you or the publisher have to resolve it manually.
What a great idea... And one breaking the NPM's service terms at that! That package doesn't serve any specific purpose other than exploiting the service's mechanics,
it was literally like a 5 minute bug that just required an upgrade/update of powershell/terminal, package manager, and reboot device lol. was just annoying
In (IIRC) Theo's reporting of the thing, there were comments highlighting complaints about not being able to unpublish because of this. I'm of the mind that many of those complainers were disingenuous because either they didn't have modules in npm in the first place, they probably didn't even follow decent principles of reducing their own need for external dependencies, and/or when publishing to npm probably just put stuff up will-he-nill-he without decent versioning practices or even using unpublish in the first place.
"Rule 34 of America is that whatever idea you have of someone doing, there is an American that is doing that" truer words were never spoken on this channel
Patrick deserves a bug bounty tldr; "Reaction" suggestion, ass kissing, thank you for being a motivation for someone with a "rough" past full of bad decisions. I had/have HPPD too, not fun and rare to hear discussed! If any of this is useful, it is public domain, obviously, but no matter your take on my long-for-no-reason comment. Bash me, analyze me and my analysis paralysis, whatever. Or don't even read this. Just please keep making videos! Have you seen Bill Burr's bit about Steve jobs? It is on UA-cam with the clickbait title "Bill Burr Destroys Steve Jobs and His Legacy in 5 Minutes". You can feel the awkwardness from the Apple purists through the screen. It is hilarious and satisfying! He asks a big question, I would love to hear your take and the interaction with twitch. I consume your content for the same reason I do his. You are transparent, never afraid to be the joke, and shit on your own flaws/failures just as much, if not more, than other people's. Even better is when we weren't thinking it, but should have been, it was obvious. Somehow culture, society, whatever somehow shaped us all to not think that way. Now we are all laughing at not just the joke, but ourselves, and we f^*ing learned to be more humble and free thinking! FIRE! love that shizz... The first video of yours hooked me so hard, super hard! I don't remember which it was, but you WENT IN on stack overflow, and I was crying laughing. It was like the nerd version of when Burr shit on Philly for fifteen minutes straight in their own city. I recommend that if you haven't seen it. It has nothing to do with coding so more of just "if you liked that one, check this one out" My past includes heavily drinking since teenage years, quite a few years of HPPD in my 20's from heavy "hippy drugs" usage (tryptamines, MDMA, half of Alex Shulgin's book, Ketamine, nitrous, etc...), ruining a scholarship, it keeps going, you get the point. You being so open about yours is f&^king motivational! Role model seems corny and too much like just emulating someone. My approach is to steal certain specific ways of thinking from people like you or Lex Fridman, Bill Burr, Joey Diaz, for example. I may never come close to the level of whatever quality I want to borrow, but that is stupid to think about. Just keep making those baby steps, that is the way, you put it more eloquently in some video. okay, I am going to STFU now. I did not kiss your ass and make up a "rough" life to get you to take my video request. Even though that would be hilariously pathetic! I am just confident it would make for some great content and selfishly want to see you and chat talk about it. I wish you and the family the best! I push the like button bro. I have been at work and pulled out my phone to double check that your video I watched the night before had my thumbs up. I am still a baby at coding, seriously just BASH scripts and markup/down(I don't know the diff...) but my first project is going to be some kind of overlay for specific UA-cam channels as a FF extension reminding me to click like.
I guess there's nothing preventing you from directly installing npm packages from their Git source, right? Or do they still go through some of npm's servers? Why not make sure one of the other package managers can avoid it and work entirely from git if setup that way? Edit: Oh, I guess you would have to have the dist files built and released somewhere, right? Because you would get uncompiled source... I guess that's the missing link, how do we account for that?
Just compile the source. Easier said than done but if you get a large market share of support for this feature, it should be easy provided such packages detail how to build them from source.
@@RRKS_TF yeah that's always an option, but with so many differing build steps, or often with necessary env values on build and such, it will probably mean most packages needs your understanding and inputs, which is what pre-built sources help mitigate for you... I just wouldn't say it's practical right now Maybe some idea will rise to make something like this more feasible
@@casraf I agree it is not currently practical the closest thing that currently exists (for C/C++) is CMake. I am in the middle of working on my own buildsystem whose configuration file is a Lua program that generates the build command. I'm yet to expand it to support pretty much anything beyond adding basic compiler flags. My end intention with the project is to have a simple add_package function that takes either a path on a filesystem or a URL for a git repo and be able to build from source or download a suitable pre-built source. It is ambitious and if I am being honest to myself I will likely never implement those features as I don't really want to convert a big library like libtorch to my unique and custom buildsystem.
And people don't understand why I prefer languages where there is NO - literally NO - package management. Just clone that shit code from github/lab/gitea/etc and its fine. Also npm makes people so lazy to never look at what the packages really do that I routinely have found HUGE bugs - like in the electron-compatible named pipe package and such...
Hello my name is Adam and i'm 15 years old. I started programming 2 years ago, like in C++ and C# not js. And I'm just coding for fun on average of 2h per day. But how ever programmer in his career I faced the imposter syndrom and I don't know am I writing good code, am I writing code fast, because I do it for fun I cannot compare myself to annyone? This was of the topic for this video but would love your and everyone else opinion Keep up the good work!
In absolute quantities, you probably are not good at C++/C# but relatively you are very good. Not many people learn programming especially low level languages like C++ at your age or later on in life. Don't compare yourself against others especially this early on, it will do more harm than good in the long run. If you are looking for for things to do then I personally (as a C++ dev with no professional experience) learned Vulkan, the basics of rust, using a C++ compiler through the command line, intrinsics especially vector intrinsics like AVX, Lua, and SFML C++ library. These are the things that I recall running into myself while doing hobby projects, going wherever I felt like going, so you don't have to do any of the above it's just what I did. (They are not in any particular order definately do not start with Vulkan or compiler intrinsics!)
One thing I have to ask is, are big orgs that does web things NOT having their own mirrors of repositories? Half of Maven's repos could go away tomorrow, and we'd not even notice, since everything we use has a mirror. (We use JFrog, which let's you do NPM as well, so I don't get it) Everytime I see someone poking fun at the Java dev experience, I can wait two days and the cool kids with their typescripts and their treeshakes run balls first into something that we solved like 20 years ago. At some point being a Java dev is both looking forward to getting whatever's new and cool five years after everyone else, but also looking at the sheer clownery that is pretty much everyone else. You should be able to look whomstever is capable of fixing this straight (or gay, I mean, I'm not trying to heteronormatize you or whatever) in the eye and say that JAVA has fixed this, there is NO EXCUSE.
If you depend on "*" why on earth would you care if the last version is deleted? This literally means you don't care about the version, so just use the previous one and that's it lol
There were some comments laughing at how angry people were on the issue on github, but the people commenting were probably experiencing some situation that was already frustrating, compounded by finding out some guys with too much free time were just messing around. Furthermore, the people at npm probably had other stuff to do, being called up because some dudes were trying to be funny and failed to see what the consequences of their abuse of open source would have. The actual number of contacts they got is probably significantly higher than what we can see. I personally was not effected and so I don't care. I do however, find the fact that the left pad incident is referred to as such is quite funny. Npm and node were probably a mistake but a mistake that has taught us a lot of good lessons. It would just be nice if people who are not malicious actors don't try to abuse the system.
I guess I don't find it impressive or funny. The only thing impressive is that the jackass said "oops sowies" and the internet believes there was "no malicious intent".
damn, you didnt get to the funniest bit. The everything package uses the "require:*" or whatever is called from NPM, that requires every single version of the package. So no one can remove ANY version of their packages.
I just love the existence of that feature to begin with...
The policy basically states that at any point you might not be able to unpublish anymore. The fact that people panicked over this just tells you how many people didn't understand the freedoms as an author they agreed to give up because of left-pad, npm stripping a package name from someone, and the overall js ecosystem where everything is a dependency, even things that shouldn't be.
That "No. I decided I don't care."
Is just whole another mood.
*...just a whole other...
NPM makes the AUR look civil and professionally organized.
wait what's wrong with the AUR?
@@carlpittenger imo the AUR is incredible. but there is a LOT of outdated and broken packages.
@@mirsella6204 yea i suppose that's the price of having such a comprehensive package database. i was just wondering if there was any npm-esque event i missed in the AUR world.
@@carlpittenger there are lots of garbage packages and moderators don't really care. But it is not that important, you can simply ignore them as well.
The worst case scenario is when a package you need is low quality or even broken. Most of the time you can reach an agreement with a maintainer though.
@@mk72v2oqNot to mention usually someone posts a fixed PKGBUILD in the comments section
PatrickJS can put "author of everything on npm" on his resume. He should have used all capital letters, if you ask me.
"Worlds biggest JavaScript Toilet"
tweet that
This is awesome and prevents bad actors from stripping packages
At some point for some reason the software industry just collectively decided that computing shouldn't be about computers - and also that it should be crazy. Then everyone overdelivered on the crazy.
NPM " The World's LARGEST... Javascript : Toilet "...
For those curious, the total size of all NPM packages combined is 24TB. Total number of packages: 3.3 million.
So it's almost doable, you just need to RAID some drives and have a very fast internet.
Why would you need RAID drives? That's too much work and npm doesn't deserve that. Just grab one 22TB and one 2 TB, JBOD or stripe them and ask the NPM maintainers to forbid the drives from failing.
Wait til he finds out its trash...he already knows its trash.... yep. Pre-known.
Can't wait for everything 2.0.0 package update
In a way, the npm is a nice analogy for the Node.js community itself. Also, not allowing people to remove their packages will not prevent people from getting back at you by adding malicious code to their package as a way of protesting.
You can also depend on version '*', including any future versions, which further simplifies any package removal. 😂
I agree with you on go. Go does this better than pretty much any other ecosystem. And npm is right there at the bottom of the barrel.
Actually this also blocked the package removal. XD Sometimes I feel sorry for JS devs.
I'd love to see the day some sort of malware spreads everywhere that just runs npm install everything if the host has node
Aka how to crash the internet
Last time I had to work on a Node project I made a mapping in Vim to dispatch a command to tmux to blow away node_modules and reinstall, because this was needed so damn frequently.
Even if you use npm/yarn/whatev you can pull code from any registry or git service. We actively use this everyday
Imagine if he had made the end of this everything-dependency-chain depend on the root everything-package (●'◡'●)
There is a package called "everything-else", which depends on "everything", and that's why they couldn't unpublish "everything" to fix the issue.
Interestingly, "everything-else" was published 9 years ago, according to npm.
Cyclical dependencies are an insult to logical reasoning.
everything depended cyclically on everything so it was impossible to delete period
4:02 Patrick is a genius.
Npm does let you host private registries. We use a custom registry as a cache for all our packages. If npm goes down we're still good.
Last I checked hosting your own registry is not exactly easy or straight forward. Has that part improved since 2019? That's when I last was using node.js professionally.
@@codeman99-dev I don't know about anything else but we use Nexus as our NPM package registry and it's pretty straight-forward and setup and forget kind of thing.
Same, Nexus is very easy to setup and configure for your project
On npm, you can’t publish a package with a lower version number than the latest package.
Damnit "Primea-gin" was a good one
>Make a package
>Maintain for some time
>People crying for updates
>"No. I decided I don't care."
>Leave
Gigachad move 🔥
If "Head of Software *Supply Chain _Security_*" doesn't see an issue with relying your product on a free 3rd party site to begin with, then software development as an industry has much bigger problems.
this is awesome, sad to see it go
Theo did a pretty good job explaining this better than that article.
Why would you upload a package to NPM with the explicit plan to unpublish it?? How can you be so sure that a normal developer doesn't reference your package in the meantime? It doesn't need the 'everything package' for this problem to occur.
npm also allows local packages
And git if you want to use that!
Today I ran into a brand new npm problem that drove me crazy! Part of it is my mistake, but I put an install step inside of my Azure AppService for a nest app. I was hitting the soft open file descriptor limit in the docker container, which led to random files inside of node_modules being only partially written to, and runtime syntax errors. Really annoying
Just curious,what happens when:
1. The package depends on itself.
2. The first package depends on a second package that also depends on first package.
ouroboros
10:18 regarding git tags, there is nothing preventing you from deleting git tags in your own repository to change code to something malicious, so it suffers from the same issue, no?
since tag refer to commit hash, it's pretty trivial to spot the problem by comparing commit hashes of local cache vs origin source.
Go did something similar, publicly you refer to tag (or other human-friendly signifier) in go.mod but internally it kept track of which version of code it pulled under go.sum. If nefarious party do tag replacement, the checksum won't match and either you or the publisher have to resolve it manually.
9:55 Elm mentioned lets go
I agree with you here: Go just has the superior managment. Whatever git it is hosted on, you can add it.
And what about dependencies?
@@EdwinMartin git submodules.
And here I thought Composer (for PHP) had issues
"Apparently, i never been on live television before"
btw you can `npm i git://...`, works with bun too
if you are wondering
you dont have to put stuff on npm
i do that
What if there was Everything2 that contained Everything and Everything also contained Everything2
Does the package of all packages contain itself?
And all of the time
Well naturally everything should depend on everything which includes itself. So everything 2 is not needed.
What a great idea... And one breaking the NPM's service terms at that!
That package doesn't serve any specific purpose other than exploiting the service's mechanics,
Gotta love programmers and how good they are at finding loopholes
it was literally like a 5 minute bug that just required an upgrade/update of powershell/terminal, package manager, and reboot device lol. was just annoying
In (IIRC) Theo's reporting of the thing, there were comments highlighting complaints about not being able to unpublish because of this. I'm of the mind that many of those complainers were disingenuous because either they didn't have modules in npm in the first place, they probably didn't even follow decent principles of reducing their own need for external dependencies, and/or when publishing to npm probably just put stuff up will-he-nill-he without decent versioning practices or even using unpublish in the first place.
"hey, wanna see a black hole?". types "npm install everything" and hits enter
package hash + decentralized registry, is the only way to go
"Rule 34 of America is that whatever idea you have of someone doing, there is an American that is doing that" truer words were never spoken on this channel
How has it taken this long for someone to try this? And why was the name 'everything' not in use since the very beginning?
Patrick deserves a bug bounty
tldr; "Reaction" suggestion, ass kissing, thank you for being a motivation for someone with a "rough" past full of bad decisions. I had/have HPPD too, not fun and rare to hear discussed! If any of this is useful, it is public domain, obviously, but no matter your take on my long-for-no-reason comment. Bash me, analyze me and my analysis paralysis, whatever. Or don't even read this. Just please keep making videos!
Have you seen Bill Burr's bit about Steve jobs? It is on UA-cam with the clickbait title "Bill Burr Destroys Steve Jobs and His Legacy in 5 Minutes". You can feel the awkwardness from the Apple purists through the screen. It is hilarious and satisfying! He asks a big question, I would love to hear your take and the interaction with twitch.
I consume your content for the same reason I do his. You are transparent, never afraid to be the joke, and shit on your own flaws/failures just as much, if not more, than other people's. Even better is when we weren't thinking it, but should have been, it was obvious. Somehow culture, society, whatever somehow shaped us all to not think that way. Now we are all laughing at not just the joke, but ourselves, and we f^*ing learned to be more humble and free thinking! FIRE! love that shizz... The first video of yours hooked me so hard, super hard! I don't remember which it was, but you WENT IN on stack overflow, and I was crying laughing. It was like the nerd version of when Burr shit on Philly for fifteen minutes straight in their own city. I recommend that if you haven't seen it. It has nothing to do with coding so more of just "if you liked that one, check this one out"
My past includes heavily drinking since teenage years, quite a few years of HPPD in my 20's from heavy "hippy drugs" usage (tryptamines, MDMA, half of Alex Shulgin's book, Ketamine, nitrous, etc...), ruining a scholarship, it keeps going, you get the point. You being so open about yours is f&^king motivational!
Role model seems corny and too much like just emulating someone. My approach is to steal certain specific ways of thinking from people like you or Lex Fridman, Bill Burr, Joey Diaz, for example. I may never come close to the level of whatever quality I want to borrow, but that is stupid to think about. Just keep making those baby steps, that is the way, you put it more eloquently in some video. okay, I am going to STFU now. I did not kiss your ass and make up a "rough" life to get you to take my video request. Even though that would be hilariously pathetic! I am just confident it would make for some great content and selfishly want to see you and chat talk about it.
I wish you and the family the best! I push the like button bro. I have been at work and pulled out my phone to double check that your video I watched the night before had my thumbs up. I am still a baby at coding, seriously just BASH scripts and markup/down(I don't know the diff...) but my first project is going to be some kind of overlay for specific UA-cam channels as a FF extension reminding me to click like.
Glad I don’t use that many packages.. and really strays away from these managers for JS.
The creator should called it "lockchain" instead of "everything"
10:09 salted sha where salt is version number or someting useful?
lol did you not watch Theo's thing about this the other day? He kinda sniped you tbh. Had Patrick on like you talked about and everything.
Git for package management is a terrible idea. Versioning is always trash in Go.
I guess there's nothing preventing you from directly installing npm packages from their Git source, right? Or do they still go through some of npm's servers?
Why not make sure one of the other package managers can avoid it and work entirely from git if setup that way?
Edit: Oh, I guess you would have to have the dist files built and released somewhere, right? Because you would get uncompiled source... I guess that's the missing link, how do we account for that?
Just compile the source.
Easier said than done but if you get a large market share of support for this feature, it should be easy provided such packages detail how to build them from source.
@@RRKS_TF yeah that's always an option, but with so many differing build steps, or often with necessary env values on build and such, it will probably mean most packages needs your understanding and inputs, which is what pre-built sources help mitigate for you... I just wouldn't say it's practical right now
Maybe some idea will rise to make something like this more feasible
@@casraf I agree it is not currently practical the closest thing that currently exists (for C/C++) is CMake. I am in the middle of working on my own buildsystem whose configuration file is a Lua program that generates the build command. I'm yet to expand it to support pretty much anything beyond adding basic compiler flags.
My end intention with the project is to have a simple add_package function that takes either a path on a filesystem or a URL for a git repo and be able to build from source or download a suitable pre-built source.
It is ambitious and if I am being honest to myself I will likely never implement those features as I don't really want to convert a big library like libtorch to my unique and custom buildsystem.
still laughing about that github issue 😂
No. I decided. I Dont Care
I love you more than a friend
Of course TrashDev jambongled the whole JavaScript ecosystem 😂
True TypeScript GIGACHAD 💪
Never watched this dude stream. How often does he look into the camera and do the "the name is the promagen" thing?
Git tags can be deleted or replaced though, so they aren’t immutable either?
Get his point of view!
The name is a-drinks-a-gin
lol your comments about Go and git are basically identical to my comments on Theo's video about this.
Yo, isn't versioning kinda very very awakward when using git as package repo?
Worlds largest javascript toilet XDDDD 2:20
everywhere all at once
And people don't understand why I prefer languages where there is NO - literally NO - package management. Just clone that shit code from github/lab/gitea/etc and its fine. Also npm makes people so lazy to never look at what the packages really do that I routinely have found HUGE bugs - like in the electron-compatible named pipe package and such...
Lol did they really add a feature to download all the packages unironically?
Hello my name is Adam and i'm 15 years old. I started programming 2 years ago, like in C++ and C# not js. And I'm just coding for fun on average of 2h per day. But how ever programmer in his career I faced the imposter syndrom and I don't know am I writing good code, am I writing code fast, because I do it for fun I cannot compare myself to annyone?
This was of the topic for this video but would love your and everyone else opinion
Keep up the good work!
In absolute quantities, you probably are not good at C++/C# but relatively you are very good. Not many people learn programming especially low level languages like C++ at your age or later on in life.
Don't compare yourself against others especially this early on, it will do more harm than good in the long run.
If you are looking for for things to do then I personally (as a C++ dev with no professional experience) learned Vulkan, the basics of rust, using a C++ compiler through the command line, intrinsics especially vector intrinsics like AVX, Lua, and SFML C++ library. These are the things that I recall running into myself while doing hobby projects, going wherever I felt like going, so you don't have to do any of the above it's just what I did. (They are not in any particular order definately do not start with Vulkan or compiler intrinsics!)
@@RRKS_TF Thanks
One thing I have to ask is, are big orgs that does web things NOT having their own mirrors of repositories?
Half of Maven's repos could go away tomorrow, and we'd not even notice, since everything we use has a mirror. (We use JFrog, which let's you do NPM as well, so I don't get it)
Everytime I see someone poking fun at the Java dev experience, I can wait two days and the cool kids with their typescripts and their treeshakes run balls first into something that we solved like 20 years ago. At some point being a Java dev is both looking forward to getting whatever's new and cool five years after everyone else, but also looking at the sheer clownery that is pretty much everyone else.
You should be able to look whomstever is capable of fixing this straight (or gay, I mean, I'm not trying to heteronormatize you or whatever) in the eye and say that JAVA has fixed this, there is NO EXCUSE.
pypi is cool
If you depend on "*" why on earth would you care if the last version is deleted? This literally means you don't care about the version, so just use the previous one and that's it lol
Pip is peak
just npm install --force until its totally unusable, then fix
There were some comments laughing at how angry people were on the issue on github, but the people commenting were probably experiencing some situation that was already frustrating, compounded by finding out some guys with too much free time were just messing around.
Furthermore, the people at npm probably had other stuff to do, being called up because some dudes were trying to be funny and failed to see what the consequences of their abuse of open source would have. The actual number of contacts they got is probably significantly higher than what we can see. I personally was not effected and so I don't care.
I do however, find the fact that the left pad incident is referred to as such is quite funny. Npm and node were probably a mistake but a mistake that has taught us a lot of good lessons.
It would just be nice if people who are not malicious actors don't try to abuse the system.
I’m viewing this from the past? 4:23 you see the date os set to 4/01/2024 lol top left
I can tell you're American.
I hope Patrick goes on your stream 😂
Def prefer your reaction to this as opposed to theos 😂
Ah, yes.
`npm install *
Npm is a pain.. Just delete that from internet
God damNPM i am early!
i literally fail to see what the problem here was
Man, this article was pretty bad compared to Theo's coverage of the incident
does somebody know how bun resolves this kind of stuff?
Nobody installs everything...these kind of packages are just created to be able to later make a blog post or a video to trash talk on JS...
Nobody uses git decentralized ??? cmon.
Should I still using node or switch to Java?
Switch, don’t support this garbage stack
Switch
Are those your only options?
I guess I don't find it impressive or funny. The only thing impressive is that the jackass said "oops sowies" and the internet believes there was "no malicious intent".
Another confirmation that JavaScript is just larping as a real programming language 😂
Can we just agree to stop using JS😊
One more reason to utterly abhor JavaScript programmers.
This article makes JS seem like the worst language of all time
"seem"?..
Seem??? You must be new here
Well I don't want to poo on a language I've never used.
you know that trash dev was involved in it right?
Why are you encouraging the troll? For the lulz? That's idiotic
I am vindicated in my view that JS is trash.
I should feel happy.
I am not.
npm is hell literally🤣
installing all npm is also installing virus
Node and npm are complete garbage heaps
A heap you never want to allocate
first
When you inspect the index.js from the package, only one message : `console.log('You have installed everything... but at what cost?');` 😅
Thoughts and prayers for JS devs.