Kik is wrong, but so are nodejs devs

Did you hear the one about the dev who broke nodejs?

Once upon a time there was a nodejs developer. He built stuff for the community that many people used. Then a side project, “kik”, got owned by a dick-company called Kik who refused to not be dicks. Then the developer pulled down a bunch of packages that ended up breaking the world. And everybody lived happily ever after.

Yes, I read the full email exchange. Azer was a dick, I can’t deny that, but Kik were bigger dicks for forcing the issue in the first place.

But really, the bigger issue here is the way devs have come to “write code”, especially in the nodejs world. In a dynamic language where deployment requires the entire app’s source code, including the source code of every dependency, it’s surprising how often a dev will prefer to add one more dependency rather than repeat code that’s been done before. Even when that code is absurdly simple.

So as far as I’m concerned, all you node zealots are insane. Adding dependencies to a project to avoid writing a couple hours of local code you can easily see and debug? Yeah, it saves time at first… until you find a bug in upstream. Or you need to do things just a bit differently than the package. Or upstream is lost/destroyed/hacked. Or you want your developers to actually understand WHY left padding has to be done a certain way so they can generalize on that information.

EVERY dependency adds risk. Relying on a package you don’t control for trivial functionality is, at best, hopelessly lazy.

But then there’s another issue: why are people having such problems in the first place? When we used Perl modules at Musician’s Friend, we had a local copy of modules we considered to be “gold” (production-ready). Our production application used these modules and local code. Nothing else was allowed. Deploys didn’t happen if a new module didn’t clear QA and get copied up to our local cpan repository first.

In my mind, this is the only way to go for mission-critical work. If you’re going to depend on something external, you better the fuck have a local copy of that external dependency, and all of its external dependencies. And you better the fuck make that shit is safe and secure, not just stuck on some dev’s hard drive somewhere. And you BETTER THE FUCK have it set up in such a way that your production systems NEVER depend on the external code. They point to your local copy. You don’t upgrade that shit in production until it’s tested locally.

This situation should have been a minor inconvenience, not something that broke anything important. And once people figured out what was up, they should have copied the “left pad” from their gold repo, grumbled a bit, and called it a day.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.