The three pillars of JavaScript bloat

Posted by onlyspaceghost 11 hours ago

The three pillars of JavaScript bloat(43081j.com)

370 points | 211 comments

stevoski 4 hours ago|

Well-written article, manages not to sound rant-y while describing the problem well.

I feel like part of the blame for the situation is that JavaScript has always lacked a standard library which contains the "atomic architecture" style packages. (A standard library wouldn't solve everything, of course.)

josephg 2 hours ago||

What functionality is still missing from the JS standard library? The JS standard library seems massive these days.

Edit: Removed a reference to node and bun.

Sharlin 1 hour ago|||

It's not standard unless it's in the actual standard.

simonw 2 hours ago||||

Those aren't a standard library for the language itself - they're not showing up in browsers, for example.

josephg 1 hour ago||

Thanks but that doesn't answer my question. Forget node and bun then. What is missing from the standard library?

simonw 1 hour ago||

What standard library? Do you mean the built-in Array.x etc methods you get in the core language spec?

tshaddox 15 minutes ago|||

I suppose we could quibble about what exactly “standard library” means, but I’m presuming we’re talking about the web (rather than, say, Node or Bun). And to me it’s fair to use it to refer to all web APIs that are widely available. Things like crypto, ArrayBuffer, TextEncoder, File and the File System Access API, Intl, the Streams API, Window.performance, etc.

skydhash 1 hour ago|||

In the browser, Javascript’s role is to add interactivity to the web page, and the API has a good surface area (even if not really pretty). People talk about the lack of standard library, but they can never say what’s missing.

https://developer.mozilla.org/en-US/docs/Web/API

The above seems fairly expansive, even if we remove all the experimental ones in the list.

jefftk 2 hours ago|||

We're talking about JS in browsers: many fewer options there, plus needing to support old devices.

couscouspie 4 hours ago||

I like rants though. They help me understand, not only how people feel about stuff, but also why.

auxiliarymoose 9 hours ago||

I really think writing dependency-free JavaScript is the way to go nowadays. The standard library in JS/CSS is great. So are static analysis (TypeScript can check JSDoc), imports (ES modules), UI (web components), etc.

People keep telling me the approach I am taking won't scale or will be hard to maintain, yet my experience has been that things stay simple and easy to change in a way I haven't experienced in dependency-heavy projects.

Joeri 5 hours ago||

I’ve been exploring this for years, even made a tutorial website about building sites and apps without dependencies (plainvanillaweb.com). What I’ve learned is that many of the things the frameworks, libraries and build tools do can be replaced by browser built-ins and vanilla patterns, but also that making things that way is at present an obscure domain of knowledge.

I think this is because the whole web dev knowledge ecosystem of youtubers and tutorial platforms is oriented around big frameworks and big tooling. People think it is much harder than it actually is to build without frameworks or build tools, or that the resulting web app will perform much worse than it actually will. A typical react codebase ported to a fully vanilla codebase ends up just as modular and around 1.5x the number of lines of code, and is tiny in total footprint due to the lack of dependencies so typically performs well.

To be clear though: I’m not arguing the dependencies are bad or don’t have any benefits at all or that vanilla coding is a superior way. Coding this way takes longer and the resulting codebase has more lines of code, and web components are “uglier” than framework components. What I’m saying is that most web developers are trapped in a mindset that these dependencies must be used when in reality they are optional and not always the best choice.

auxiliarymoose 4 hours ago|||

Thanks for creating and sharing that resource! I'm reading through it now, and it looks fantastic. I'll share it the next time someone asks where to get started with web dev.

Come to think of it, I should write up the techniques I use, too...e.g. I have simple wrappers around querySelector() and createElement() with a bit of TypeScript gymnastics in a JSDoc annotation to add intellisense + type checking for custom elements.

Would you be open to a pull request with a page on static analysis/type checking for vanilla JS? (intro to JSDoc, useful patterns for custom elements, etc.) If not, that's totally OK, but I figure it could be interesting to readers of the site.

And agreed on vanilla/dependency-free not being a silver bullet. There aren't really one-size-fits-all solutions in software, but I've found a vanilla approach (and then adding dependencies only if/when necessary) tends to help the software evolve in a natural way and stay simple where possible.

j45 2 hours ago|||

Nice resource!

Depending on the use case, minimizing dependancies can also decrease attack vectors on the page/app.

robocat 2 hours ago|||

Rendering components is the easy part. Another goal of frameworks is to provide the model (reactive updates): https://mjswensen.com/blog/the-single-most-important-factor-...

What do you use for model updates?

j45 2 hours ago||

Looking into the history of reactive updates, we find that it started with simple javascript commands helped kickstart most of it.

https://en.wikipedia.org/wiki/Ajax_(programming)

The idea of reactivity started in the 1990's in production.

When Gmail was released this technology is what made a website behave like a desktop app (plus the huge amount of storage)

If we were to look into today's equivalent of doing this, it might be surprising what exists in the standard libraries.

Bockit 3 hours ago|||

I've been doing JS for nearly a couple decades now (both front and back) and I landed on the same approach a few years ago. Pick your absolutely minimal set of dependencies, and then just make what you need for everything else. Maybe counter-intuitive to some, I feel like I'm more comfortable maintaining a larger codebase with less people.

What's more, given the tools we have today, it fits really well with agentic engineering. It's even easier to create and understand a homegrown version of a dependency you may have used before.

Maxion 6 hours ago|||

Did this for a project in 2022. Haven't had any drama related to CVEs, hadn't had any issues related to migration from some version of something to another.

The client has not had to pay a cent for any sort of migration work.

jsmith99 2 hours ago|||

Is the lack of CVE because the implementations you wrote are better written and safer than those in the standard libraries or because no one has checked?

foldr 2 hours ago||

Presumably the latter. However, mindlessly bumping package versions to fix bullshit security vulnerabilities is now industry standard practice. Once your client/company reaches a certain size, you will pretty much have to do it to satisfy the demands of some sort of security/compliance jarl.

auxiliarymoose 4 hours ago||||

There are certainly security benefits to keeping things in-house. Less exposure to supply-chain attacks (e.g. shai-hulud malware) and widespread security bugs (e.g. react server components server-side RCE). Plus it's much easier to do a complete audit and threat model of the application when you built and understand everything soup-to-nuts.

Of course, it also means you have to be cautious about problems that dependencies promise to solve (e.g. XSS), but at the same time, bringing in a bunch of third-party code isn't a substitute for fully understanding your own system.

zelphirkalt 56 minutes ago||||

Very laudable, though this is probably also part of the issue: If the client doesn't need any migration work, the dev doesn't get more money, which in turn might be phrased: "It is difficult to get a man to understand something, when his salary depends upon his not understanding it!" -- by someone other than me.

I have worked at employer, where one could have done the frontend easily in a traditional server side templating language since most of the pages where static information anyway and very little interactive. But instead of doing that and have 1 person do that, making an easily accessible and standard-conforming frontend, they decided to go with nextjs and required 3 people fulltime to maintain this, including all the usual churn and burn of updating dependencies and changing the "router" and stuff. Porting a menu from one instance of the frontend to another frontend took 3 weeks. Fixing a menu display bug after I reported it took 2 or 3 months.

j45 2 hours ago||||

It's nice to sidestep the relative brittleness of web implementations simply because of versions.

bell-cot 4 hours ago|||

> The client has not had to pay a cent for ...

From human society's PoV, you sound like a 10X engineer and wonderful person.

But from the C-suite's PoV ...yeah. You might want to keep quite about this.

assimpleaspossi 2 hours ago|||

CSS has a standard library? I stopped doing web dev just three years ago and am not aware of such a thing. Do you mean the CSS standard?

theandrewbailey 2 hours ago||

It wouldn't surprise me if CSS has a standard library. It is Turing complete, after all.

CoderLuii 8 hours ago|||

been doing something similar. the projects ive been building recently use as few dependencies as possible and honestly the maintenance burden dropped significantly. when something breaks you actually know where to look instead of digging through 15 layers of node_modules. people said the same thing to me about it not scaling but the opposite turned out to be true.

auxiliarymoose 5 hours ago||

yeah, plus stack traces, debuggers, and profiling tools are easier to use when all of the non-essential complexity is stripped out. which in turn means it's possible to work productively on software that solves more complex problems.

that's in contrast with the sort of stuff that invariably shows up when something falls over somewhere in a dependency:

    cannot access property "apply" of null
    at forEach()
    at setTimeout()
    at digest()
    at callback()
    at then()
    ...

it's not fun to step through or profile that sort of code either...

leptons 7 hours ago|||

If I need a library for nodejs, the first thing I do is search for the dependency-free option. If I can make that work, great.

anematode 7 hours ago||

This is absolutely the way to go

k__ 3 hours ago||

Doesn't this go against the credo of not building your own crypto?

auxiliarymoose 3 hours ago|||

No, it means using the crypto module in the standard library instead of importing some third party dependency.

embedding-shape 3 hours ago|||

Depends on what cryptography you're talking about, the Web Crypto API exists for quite some time, so I'd say that fits in (usually) with "The standard library in JS/CSS is great".

andai 9 hours ago||

Great article, but I think these are all marginal.

The main cause of bloat is not polyfills or atomic packages. The cause of bloat is bloat!

I love this quote by Antoine de Saint-Exupéry (author of the Little Prince):

"Perfection is achieved, not when there is nothing left to add, but nothing to take away."

Most software is not written like that. It's not asking "how can we make this more elegant?" It's asking "what's the easiest way to add more stuff?"

The answer is `npm i more-stuff`.

cwnyth 8 hours ago||

Cf. Vonnegut's rule #4 of good writing:

> Every sentence must do one of two things—reveal character or advance the action.

Or Quintilian's praise of Demosthenes and Cicero: "To Demosthenes nothing can be added, but from Cicero nothing can be taken away."

Defenestresque 1 hour ago|||

For the curious, the rest of the types:

Use the time of a total stranger in such a way that he or she will not feel the time was wasted.

Give the reader at least one character he or she can root for.

Every character should want something, even if it is only a glass of water.

Every sentence must do one of two things—reveal character or advance the action.

Start as close to the end as possible.

Be a sadist. No matter how sweet and innocent your leading characters, make awful things happen to them—in order that the reader may see what they are made of.

Write to please just one person. If you open a window and make love to the world, so to speak, your story will get pneumonia.

Give your readers as much information as possible as soon as possible. To heck with suspense. Readers should have such complete understanding of what is going on, where and why, that they could finish the story themselves, should cockroaches eat the last few pages.

The greatest American short story writer of my generation was Flannery O'Connor (1925-1964). She broke practically every one of my rules but the first. Great writers tend to do that.

thunky 14 minutes ago||

> Give the reader at least one character he or she can root for.

I've been noticing for a while now this is missing in most modern tv shows. It makes the show feel pointless.

cobbzilla 8 hours ago|||

Is there no room for describing the setting? Must every utterance that sets the atmosphere also advance the plot or reveal character? Is there no room for mood?

nkrisc 54 minutes ago|||

What is the purpose of the setting if not to reveal character or advance the plot?

I don’t need to know the color of the walls if it does neither.

alt187 2 hours ago||||

describing the setting should (ideally) be done through a character's interaction with the setting.

if you're developing some sort of dystopia where everyone is heavily medicated, better to show a character casually take the medication rather than describe it.

of course, that's not a rule set in stone. you can do whatever the fuck you want.

IsTom 4 hours ago||||

He's very efficient with prose and I find it a joy to read (well, given what he's writing about it's not always joy, but still). I'm not sure he's following that rule 100% of the time, but it's close. Depending on the setting, you can often describe it through characters' actions or how it shapes them.

hombre_fatal 7 hours ago||||

> Is there no room for describing the setting? Is there no room for mood?

You mean the character of a place?

cobbzilla 6 hours ago||

sure, setting and character are the same thing

bryanrasmussen 5 hours ago||

the implication is that if mood is the character of the place then those sentences that set mood are advancing character.

josephg 2 hours ago||

Some authors rarely describe a place objectively. We see a space through the eyes of the characters - and in doing so, we learn about our characters as we learn about the space they inhabit.

righthand 2 hours ago||||

The “mood” should reflect the character not the author’s desire to detail out the room.

brigandish 4 hours ago|||

Setting would provide the context for action or characterisation to occur in a meaningful way, or provoke it, so it is necessary part of both (if done for either of those purposes). Given that, the charitable interpretation would be to only provide enough description of the setting for that.

sheept 6 hours ago||

All software has bloat, but npm packages and web apps are notorious for it. Do you think it could be inherent to the language?

JavaScript seems to be unique in that you want your code to work in browsers of the past and future—so a lot of bloat could come from compatibility, as mentioned in the article—and it's a language for UIs, so a lot of bloat in apps and frameworks could come from support for accessibility, internationalization, mobile, etc.

guax 5 hours ago|||

The problem JS development is facing is the same most languages might go through. The "Magic" that solves all problems, frameworks and solutions that solve small issues at a great cost.

Lots of developers don't even say they are JS devs but React devs or something. This is normal given that the bandwidth and power of targets are so large nowadays. Software is like a gas, it will fill all the space you can give it since there is no reason to optimize anything if it runs ok.

I've spent countless hours optimising javascript and css to work across devices that were slow and outdated but still relevant (IE7, 8 and 9 were rough years). Cleverness breads in restrictive environments where you want to get the most out of it. Modern computers are so large that its hard for you to hit the walls when doing normal work.

socalgal2 5 hours ago||||

Every cargo install (rust) I've down downloads 300 to 700 packages

Every C++ app I install in linux requires 250 packages

Every python app I install and then pip install requirements uses 150 packages.

stingraycharles 3 hours ago|||

This is not true at all.

Tade0 3 hours ago||||

A while ago I started a game project in Rust using one of the popular engines.

10GB of build artifacts for the debug target.

embedding-shape 3 hours ago||

You should give it a try to compile other game engines, and compare them, Unreal Engine is a fun one with the source available, take a look how big their artifacts are :)

With that said, there are plenty of small game engines out there, but couple Rust's somewhat slow compile times with the ecosystems preferences for "many crates" over "one big crate", and yeah, even medium-scale game engines like Bevy take a bunch of time and space to compile. But it is a whole game engine after all, maybe not representative of general development in the community.

IshKebab 3 hours ago|||

I wouldn't say every Rust app does, but I do think it has become more normal for Rust apps to have 200-600 dependencies. However when I look at the list, they usually all make sense, unlike with NPM. There are rarely any one-line crates. Actually I haven't seen any yet (except joke ones of course).

There's no way the average C++ app uses 250 packages though. It's usually more like 5. C++ packaging is a huge pain so people tend to use them only when absolutely necessary, and you get huge libraries like Boost primarily because of the packaging difficulty.

I would say Python varies but 150 sounds high. Something more like 50-100 is typical in my experience.

lukan 5 hours ago||||

"Do you think it could be inherent to the language?"

Not to the language but its users. Not to bash them, but most of them did not study IT on a university, did not learn about the KISS principle etc.

They just followed some tutorials to hack together stuff, now automated via LLM's.

So in a way the cause is the language as it is so easy to use. And the ecosystem grew organically from users like this - and yes, the ecosystem is full of bloat.

(I think claude nowdays is a bit smarter, but when building standalone html files without agents, I remember having to always tell chatgpt to explicitely NOT pull in yet another libary, but use plain vanilla js for a standard task, which usually works better and cleaner with the same lines of code or maybe 2 or 3 more for most cases. The standard was to use libaries for every new functionality )

bigstrat2003 5 hours ago|||

> All software has bloat, but npm packages and web apps are notorious for it. Do you think it could be inherent to the language?

It sure seems like it is because JS devs, by and large, suck at programming. C has a pretty sparse standard library, but you don't see C programmers creating shared libraries to determine if a number is odd, or to add whitespace to a string.

qayxc 4 hours ago||

> you don't see C programmers creating shared libraries to determine if a number is odd, or to add whitespace to a string.

Believe me, if C had a way to seamlessly share libraries across architectures, OSes, and compiler versions, something similar would have happened.

Instead you get a situation where every reasonably big modern C project starts by implementing their own version of string libraries, dynamic arrays, maps (aka dictionaries), etc. Not much different really.

derodero24 15 minutes ago||

The polyfill treadmill is the one that gets me. I work on native Node addons so the JS layer is basically just a loader and types — no polyfills, no transpilation targets. Really puts into perspective how much of a typical npm package is compatibility layers for environments nobody actually runs anymore. josephg's right that just tracking Node's EOL schedule would kill a huge chunk of this overnight.

zdc1 10 hours ago||

A lot of this basically reads to me like hidden tech debt: people aren't updating their compilation targets to ESx, people aren't updating their packages, package authors aren't updating their implementations, etc.

Ancient browser support is a thing, but ES5 has been supported everywhere for like 13 years now (as per https://caniuse.com/es5).

tgv 4 hours ago||

> Ancient browser support is a thing

And weird browser support.

People use the oddest devices to do "on demand" jobs (receiving a tiny amount of money for a small amount of work). Although there aren't that many, I've seen user agents from game consoles, TVs, old Androids, iPod touch, and from Facebook and other "browser makers", with names such as Agency, Herring, Unique, ABB, HIbrowser, Vinebre, Config, etc. Some of the latter look to be Chrome or Safari skins, but there's no way to tell; I don't know what they are. And I must assume that quite a few devices cannot be upgraded. So I support old and weird browsers. The code contains one externally written module (stored in the repository), so it's only a matter of the correct transpiler settings.

anematode 10 hours ago|||

The desire to keep things compatible with even ES6, let alone ES5 and before, is utterly bizarre to me. Then you see folks who unironically want to maintain compatibility with node 0.4, in 2025, and realize it could be way worse....

Ironically, what often happens is that developers configure Babel to transpile their code to some ancient version, the output is bloated (and slower to execute, since passes like regenerator have a lot of overhead), and then the website doesn't even work on the putatively supported ancient browsers because of the use of recent CSS properties or JS features that can't be polyfilled.

I've even had a case at work where a polyfill caused the program to break. iirc it was a shitty polyfill of the exponentiation operator ** that didn't handle BigInt inputs.

Slothrop99 5 hours ago|||

Maybe I didn't look hard enough, but there's no obvious switch to "just turn off all the legacy stuff, thnx".

Also, there has been a huge amount of churn on the tooling side, and if you have a legacy app, you probably don't wanna touch whatever build program was cool that year. I've got a react app which is almost 10 years old, there has to be tons of stuff which is even older.

vkou 5 hours ago||

> Maybe I didn't look hard enough, but there's no obvious switch to "just turn off all the legacy stuff, thnx".

There is. Break compatibility for it, and whatever poor bastard that is still maintaining software that is targeting a PalmPilot is free to either pin to an older version of your library, or fork it. Yes, that's a lot of pain for him, but it makes life a little easier for everyone else.

josephg 2 hours ago|||

This is my philosophy too. If the nodejs project doesn't support node 18, why on earth should I?

Here's the schedule, if anyone hasn't seen it. Node 18 is EOL. Node 20 goes EOL in a bit over a month.

https://nodejs.org/en/about/previous-releases

Slothrop99 4 hours ago|||

[dead]

Pxtl 8 hours ago||||

It's just an excuse to not change things.

fragmede 9 hours ago||||

Just how old an Android device in the developing world do you not want to support? Life's great at the forefront of technology, but there's a balancing act to be able to support older technology vs the bleeding edge.

anematode 9 hours ago|||

I like the sentiment, but building a website that can actually function in that setting isn't a matter of mere polyfills. You need to cut out the insane bloat like React, Lottie, etc., and just write a simple website, at which point you don't really need polyfills anyway.

In other words, if you're pulling in e.g. regenerator-runtime, you're already cutting out a substantial part of the users you're describing.

Dylan16807 9 hours ago||||

A quick search tells me that firefox 143 from 6 months ago supported android 5 (Lollipop).

So that's my cutoff.

dfabulich 8 hours ago|||

Android phones update to the latest version of Chrome for 7 years. As long as you're using browser features that are Baseline: Widely Available, you'll be using features that were working on the latest browsers in 2023; those features will work on Android 7.0 Nougat phones, released in 2016.

Android Studio has a nifty little tool that tells you what percentage of users are on what versions of Android. 99.2% of users are on Android 7 or later. I predict that next year, a similar percentage of users will be on Android 8 or later.

kennywinker 8 hours ago||

3.9 billion android users, means that 0.8% is 31 million people - and for a very small number of developers most of their users will be from that slice. For most of them… yeah go ahead an assume your audience is running a reasonably up to date os

oflebbe 5 hours ago||

Websites built with tons of polyfills are likely not run on these devices anyway, since they will run out of RAM before, let alone after they will only load after sone minutes because of CPU limitations on top of not being loaded because their x509 certs are outdated as well as the bandwith they support is not suitable to load MB sited pages

hsbauauvhabzb 9 hours ago|||

I’ve been very lost trying to understand the ecosystem between es versions , typescript and everything else. It ends up being a weird battle between seemingly unrelated things like require() vs import vs async when all I want to do is compile. All while I’m utterly confused by all the build tools, npm vs whatever other ones are out there, vite vs whatever other ones are out there, ‘oh babel? I’ve heard the name but no idea what it does’ ends up being my position on like 10 build packages.

This isn’t the desire of people to build legacy support, it’s a broken, confusing and haphazard build system built on the corpses of other broken, confusing and haphazard build systems.

anematode 7 hours ago|||

Honestly, Vite is all you need. :) It's super flexible compared to the status quo of require vs. import etc. For example, I recently wanted to ship a WASM binary along with the JS rather than making it a separate download (to avoid having to deal with the failure case of the JS code loading and the WASM not fetching). All I had to do was import `a.wasm?url` and it did the base64 embedding and loading automatically.

Maxion 6 hours ago||

This sentiment is all well and good, but when you end up in a new-to-you JS codebase with a list of deps longer than a Costco receipt using some ancient Webpack with it's config split into 5 or so files, then no-one is letting you upgrade to vite unless the site is completely down.

tankenmate 1 hour ago|||

It's almost like Churchill's quip "He has all the virtues I dislike and none of the vices I admire". In other words, in some ways the JS ecosystem rushes to all the tech debt inducing "shiny shiny" and avoids all the tech debt reducing "hard work of refactoring and wisdom". It's almost like a large chunks of the JS ecosystem thrives on "the dopamine hit". Santayana's wisdom whispers behind every import.

anematode 6 hours ago|||

Sad but true...

CoderLuii 8 hours ago||||

this is exactly where i landed too. i build docker images that bundle node tooling and every time i think i understand the build system something changes. require vs import, cjs vs esm, babel vs swc vs esbuild, then half your dependencies use one format and half use the other. the worst part is when you containerize it because now you need it all to work in a clean linux environment with no cached state and suddenly half the assumptions break.

conartist6 8 hours ago|||

Yes, yes to all of that, but there is still hope.

hsbauauvhabzb 8 hours ago||

This fancy new build tool with emojis will fix it!

kennywinker 8 hours ago||

This fancy new vibe coded build tool with emojis

hsbauauvhabzb 4 hours ago||

Built in rust

conartist6 56 minutes ago||

Mmmmhm. But not all the people building devtools got distracted by a pretty butterfly.

hrmtst93837 6 hours ago|||

The root isuue is that the web rewards shipping now and fixing later so old deps and conservative targts linger until stuff breaks.

Tade0 3 hours ago|||

Sometimes it's a result of unforeseen consequences of design decisions.

All pre-signal Angular code must be compiled down to JS which replaces native async with Promise.

Why is that so? For a long time Angular's change detection worked by overriding native functions like setTimeout, addEventListener etc. to track these calls and react accordingly. `async` is a keyword, so it's not possible to override it like that.

Signals don't require such trickery and also allow to significantly decrease the surface area of change detection, but to take advantage of all of that one has to essentially rewrite the entire application.

userbinator 10 hours ago|||

The newer version is often even more bloated. This whole article just reinforces my opinion of "WTF is wrong with JS developers" in general: a lot of mostly mindless trendchasing and reinventing wheels by making them square. Meanwhile, I look back at what was possible 2 decades ago with very little JS and see just how far things have degraded.

jazzypants 5 minutes ago|||

Literally nothing has degraded. What in the world are you talking about? All of this stuff is optional.

prinny_ 3 hours ago||||

I believe if you read this article https://www.artmann.co/articles/30-years-of-br-tags your "wtf is wrong with js developers" question will be answered.

michaelchisari 9 hours ago||||

A standard library can help, but js culture is not built in a way that lends to it the way a language like Go is.

It would take a well-respected org pushing a standard library that has clear benefits over "package shopping."

halapro 7 hours ago|||

> WTF is wrong with JS developers

Don't confuse "one idiot who wants to support Node 0.4 in 2026" with "JS developers". Everybody hates this guy and he puts his hands into the most popular packages, introducing his junk dependencies everywhere.

saghm 6 hours ago|||

If everyone hates him and thinks his dependencies are junk, why would anyone let him introduce them to popular packages? Clearly there are at least some people who are indifferent enough if the dependencies are getting added elsewhere

Maxion 6 hours ago||||

The other problem is that this is a bit of a circular path, with deps being so crap and numerous, upgrading existing old projects become a pain. There are A LOT of old projects out there that haven't been updated simply because the burden to do so is so high.

userbinator 6 hours ago|||

Then I wish there were more of these "idiots who want to support Node 0.4 in 2026". Maybe they're the ones with the common sense to value stability and backwards compatibility over constantly trendchasing the new and shiny and wanting to break what was previously working in the misguided name of "progress".

josephg 2 hours ago|||

NodeJS has a clear support schedule for releases. Once a version of nodejs is EOL, the node team stops backporting security fixes. And you should really stop using it. Here's the calendar:

https://nodejs.org/en/about/previous-releases

Here's a list of known security vulnerabilities affecting old versions of nodejs:

https://nodejs.org/en/about/eol

In my opinion, npm packages should only support maintained versions of nodejs. If you want to run an ancient, unsupported version of nodejs with security vulnerabilities, you're on your own.

Griffinsauce 6 hours ago||||

You wouldn't if you look more deeply at this. He doesn't push for simplicity but for horrible complexity with an enormous stack of polyfills, ignoring language features that would greatly reduce all that bloat. .

hrmtst93837 7 hours ago||

[dead]

g947o 53 minutes ago||

https://immich.app/cursed-knowledge

> There is a user in the JavaScript community who goes around adding "backwards compatibility" to projects. They do this by adding 50 extra package dependencies to your project, which are maintained by them.

> https://github.com/immich-app/immich/pull/10690

12345hn6789 5 minutes ago|

A little more context since they scrubbed that PR.

https://news.ycombinator.com/item?id=45447390

https://github.com/A11yance/axobject-query/pull/354

This user actively gets paid off of how many downloads their packages get, which makes sense why there are so many. As well as the attitude to change others repositories to use his packages

prinny_ 3 hours ago||

Everyone trash talking the JS ecosystem without contributing the slightest to the conversation would benefit a lot if they read https://www.artmann.co/articles/30-years-of-br-tags in order to understand the evolution of the language and its tooling.

Nobody argues what we currently have is great and that we shouldn't look to improve it. Reducing it to "JS developers bad" is an embarrassing statement and just shows ignorance, not only of the topic at hand, but of an engineering mindset in general.

follie 2 hours ago||

I find the mindset of trying to understand and accept bad fine in moderation but as defeatist when taken past the end of the block. It doesn't matter why JS is bad and will harm your future prospects if you approach it with too much acceptance. We always need to be examining the practice in front of us and the theory that would be a better replacement for it and trying to make the leaps at the right times to keep getting paid while not becoming part of the problem ourselves.

Science advances one funeral at a time applies to software with things going at a faster pace so a good software engineer needs to fake a few funerals or really be senior at 4 years to be dead by 7.

KronisLV 2 hours ago|||

> “JS developers bad“

I found it to be a nice post that documents why things sometimes are bad. It didn’t feel accusatory at the developers themselves, but seemed to serve as a reasonable critique of the status quo?

n_e 2 hours ago||

I assume they were talking about the comments here, not the post which I agree is great.

n_e 2 hours ago||

[dead]

AltruisticGapHN 2 hours ago||

"some people apparently exist who need to support ES3 - think IE6/7, or extremely early versions of Node.js"

Seriously what kind of business today needs to support ES3 browsers? Even banking sites should refuse to run on such old devices out of security concerns.

skrebbel 2 hours ago||

This is 100% teams who set up their build tooling back in 2015 and haven't updated since. There's plenty widely used apps and libs that date this far back, and back then, IE8 compat was considered pretty important still, esp for products targeting enterprise/government customers.

Upgrading eg Webpack and Babel and polyfill stacks and all that across multiple major versions is a serious mess. Lots of breaking changes all around. Much better to just ship features. If it ain't broke, don't fix it!

esprehn 1 hour ago|||

No one really does, but there's one particular individual who keeps pushing to support things like node 0.3 and who also maintains all those low level intrinsic packages.

jgilias 1 hour ago||

I remember reading somewhere that Deutsche Bahn is running Windows 3.1 for something still?

wheattoast 2 hours ago||

“Alternatively, what’d be really nice is if they upgraded“

Easy enough for y’all with techie salaries, but as one of the millions of poor folks whose paychecks barely (or don’t even) pay the bills, it’d be really nice if we didn't have to junkheap our backbreakingly expensive hardware every few years just cuz y’all are anorexically obsessed with lean code, and find complex dependancies too confusing/bothersome to maintain.

jefftk 2 hours ago|

They're talking about people still running ES3 browser engines, like IE8, which was released 15+ years ago and went EOL 10+ years ago. The author could have done a better job clarifying this, but they're not pushing for a world with 2y device lifetimes.

rtpg 8 hours ago|

I think on the first point, we have to start calling out authors of packages which (IMO) have built out these deptrees to their own subpackages basically entirely for the purpose of getting high download counts on their github account

Like seriously... at 50 million downloads maybe you should vendor some shit in.

Packages like this which have _7 lines of code_ should not exist! The metadata of the lockfile is bigger than the minified version of this code!

At one point in the past like 5% of create-react-app's dep list was all from one author who had built out their own little depgraph in a library they controlled. That person also included download counts on their Github page. They have since "fixed" the main entrypoint to the rats nest though, thankfully.

https://www.npmjs.com/package/has-symbols

https://www.npmjs.com/package/is-string

https://github.com/ljharb

g947o 51 minutes ago||

https://immich.app/cursed-knowledge

> 6/28/2024

12345hn6789 3 minutes ago|||

Reminder this user is paid per download https://github.com/A11yance/axobject-query/pull/354#issuecom...

matheusmoreira 8 hours ago|||

> entirely for the purpose of getting high download counts on their github account

Is this an ego thing or are people actually reaping benefits from this?

Anthropic recently offered free Claude to open source maintainers of repositories with over X stars or over Y downloads on npm. I suppose it is entirely possible that these download statistics translate into financial gain...

g947o 47 minutes ago|||

Yes.

https://github.com/A11yance/axobject-query/pull/354

https://github.com/A11yance/aria-query/pull/497

domenicd 3 hours ago||||

Yes, there's definitely a financial gain aspect here. Tidelift provides $50/month for each of these packages. https://tidelift.com/lifter/search/npm/has-symbols

The incentives are pretty clear: more packages, more money.

martijnvds 8 hours ago||||

I've seen people brag about it in their resumes, so I assume it helps them find (better paying?) work.

stephenr 6 hours ago|||

I'm completely apathetic about spicy autocomplete for coding tasks and even I wonder which terrible code would be worse.

The guy who wrote is even/odd was for ages using a specifically obscure method that made it slower than %2===0 because js engines were optimising that but not his arcane bullshit.

h4ch1 8 hours ago|||

I remember seeing this one guy who infiltrated some gh org, and then started adding his own packages to their dependencies or something to pad up his resume/star count.

Really escapes me who it was.

g947o 47 minutes ago||

https://github.com/A11yance/axobject-query/pull/354

https://github.com/A11yance/aria-query/pull/497

h4ch1 38 minutes ago||

yes! this.

CoderLuii 8 hours ago|||

from a security perspective this is even worse than it looks. every one of those micro packages is an attack surface. we just saw the trivy supply chain get compromised today and thats a security tool. now imagine how easy it is to slip something into a 7 line package that nobody audits because "its just a utility." the download count incentive makes it actively dangerous because it encourages more packages not fewer.

robpalmer 3 hours ago|||

The article and (overall) this comments section has thankfully focused on the problem domain, rather than individuals.

As the article points out, there are competing philosophies. James does a great job of outlining his vision.

Education on this domain is positive. Encouraging naming of dissenters, or assigning intent, is not. Folks in e18e who want to advance a particular set of goals are already acting constructively to progress towards those goals.

whstl 29 minutes ago||

People aren't criticizing the development philosophy in this subthread. This has been done by the article itself and by several people before.

What people are criticizing is the approach in pushing this philosophy into the ecosystem for allegedly personal gain.

The fact that this philosophy has been pushed by a small number of individuals shows this is not a widespread belief in the ecosystem. That they are getting money out of the situation demonstrates that there is probably more to the philosophy than the technical merits of it.

This is a discussion that needs to happen.

technion 6 hours ago|||

As usual, there's a cultural issue here. I know it's entirely possible to paste those seven lines of code into your app. And in many development cultures this will be considered a good thing.

If you're working with Javascript people, this is referred to as "reinventing the wheel" or "rolling your own", or any variation of "this is against best practice".

rtpg 6 hours ago|||

I think the fact that everyone cites the same is-number package when saying this is indicative of something though.

Like I legit think that we are all imagining this cultural problem that's widespread. My claim (and I tried to do some graph theory stuff on this in the past and gave up) is that in fact we are seeing something downstream of a few "bad actors" who are going way too deep on this.

I also dislike things like webpack making every plugin an external dep but at least I vaguely understand that.

serial_dev 6 hours ago||

Have you heard of the left pad incident?

The problem is not imagined.

saghm 6 hours ago||||

The point isn't that everyone needs to write the same code manually necessarily. It's that an author could easily just combine the entire tree of seven line packages into the one package the create-react-app uses directly. There's no reason to have a dozen or so package downloads each with seven lines of code instead of one that that's still under under a hundred lines; that's still a pretty small network request, and it's not like dead code analysis to prune unused functions isn't a thing. If you somehow find yourself in a scenario where you would be happy to download seven lines of code, but downloading a few dozen more would be an issue, that's when you might want to consider pasting the seven lines of code manually, but I honestly can't imagine when that would be.

stephenr 6 hours ago|||

The problem I think is that the js community somehow thinks that being on npm is some bastion of good quality.

Just as the cloud is simply someone else's computer, a package is just someone else's reinvented wheel.

The problem is half the wheels on npm are fucking square and apparently no one in the cult of JavaScript realises it.

hinkley 8 hours ago|||

Hat tip to Sindre who has fifty bagillion packages but few of them depend on more than one of his other packages.

stephenr 8 hours ago||

As usual, he's copying someone else who's been doing this for years:

https://www.npmjs.com/package/is-number - and then look and see shit like is odd, is even (yes two separate packages because who can possibly remember how to get/compare the negated value of a boolean??)

Honestly for how much attention JavaScript has gotten in the last 15 years it's ridiculous how shit it's type system really is.

The only type related "improvement" was adding the class keyword because apparently the same people who don't understand "% 2" also don't understand prototypal inheritance.

zahlman 7 hours ago||

To be fair, prototypal inheritance is relatively uncommon language design. I'd rank it as considerably harder to understand than the % operator.

stephenr 6 hours ago||

That's a good point, it's only been around for 30 years, and used on 95% of websites. It's not really popular enough for a developer to take an hour or two to read how it works.

saghm 6 hours ago||

The word "used" is doing some heavy lifting there. Not all usage is equal, and the fact that it's involved under the hood isn't enough to imply anything significant. Subatomic physics is used by 100% of websites and has been around for billions of years, but that's not a reason to expect every web developer to have a working knowledge of electron fields.

stephenr 5 hours ago||

Fair point.

Let's compromise and say that whoever is responsible for involving (javascript|electron fields) in the display of a website, should each understand their respective field.

I don't expect a physicist or even an electrical engineer or cpu designer to necessarily understand JavaScript. I don't expect a JavaScript developer to understand electron fields.

I do expect a developer who is writing JavaScript to understand JavaScript. Similarly I would expect the physicist/etc to understand how electrons work.

More comments...