[nicou]

For context, see https://en.wikipedia.org/wiki/Npm_left-pad_incident

[HPsquared]

11 lines of code! Wow. I had no idea it was that small.

[xnorswap]

There used to be the general wisdom of, "Don't re-invent the wheel. Let the hive-mind craft utility functions and use those because they'll be battle-hardened, well tested, and you can focus on your core business".

I think the left-pad incident helped shatter that myth. He we had huge packages depending on a package which padded a string in an inefficient manner.

It turns out that the many eyeballs of the bazaar had averted their gaze from what was actually happening, which is a system of impossible to audit dependency chains.

I think it also shows the impact of using a language with a poor standard library.

Padding is absolutely something that should be available as an extension over String.

If JavaScript were controlled in the same manner that Go, Rust, Java, .NET, python etc, then it would have been added years ago.

Apparently it has now finally arrived in ES2026: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Refe...

[dagw]

On the flip side, I find that often python for example can go too far in the other directions with huge kitchen sink libraries that depend on other huge kitchen sink libraries. To the point where installing the most popular library for calculating the area of a 2D polygon requires installing a fast Fourier transform library. If you want a single quite simple image processing function, you're all of a sudden installing advanced graph algorithm and signal processing libraries.

[bakkoting]

> Apparently it has now finally arrived in ES2026

ES2017 [1]. The MDN docs always link the latest version of the spec; the year in the link doesn't correspond to the version where it was added. The proposal was already mostly done at the time of the incident [2]

[1] https://tc39.es/ecma262/2017/#sec-string.prototype.padstart [2] https://github.com/tc39/proposal-string-pad-start-end

[xnorswap]

Oh, I see, sorry the "Specification" section is definitely misleading then by not also linking to the earliest specification it was included in.

[eviks]

> the left-pad incident helped shatter that myth

In what way? Have the dependency trees gotten significantly smaller since then?

[beej71]

I don't think so, but at least awareness of dependencies as liabilities has increased.

I installed `pass` (the lightweight password manager) on a fresh headless system the other day and it brought in like 60 packages including a bunch of X stuff.

[BenjiWiebe]

Just checked on a fresh install of Fedora 42 "custom operating system" install, so pretty minimal. Didn't even check the "standard tools" box or whatever it's called.

Installing 'pass' pulled in: desktop-file-utils emacs-filesystem git-core libpng qrencode qrencode-libs

Plus weak (optional) dependencies: libwayland-client mailcap wl-clipboard xdg-utils

12 packages, 5 MB download, 24 MB installed. Could be worse, could be better.

I was honestly expecting Fedora to have less than that.

[beej71]

On my particular (Ubuntu) system, `debtree pass` shows 301 dependencies (includes subdependencies) for a total install of 130 MB.

One of the big trigger is the dependency pass->xclip. That sets off a big cascade of X.

[efilife]

Inefficient? What would be an efficient way to do this? .Repeat() a string and then concatenate?

[rootlocus]

> Most of my open source work followed Unix philosophy, so the packages did one thing at a time. There was 350+ of them.

The man page for a unix binary is at least two orders of magnitude larger. At some point, the "Unix philosophy" doesn't make sense anymore. I mean, it couldn't even rightpad.

[another-dave]

When the metadata for the package is larger than the source code you've probably gone too small!

[baobabKoodaa]

packages like `left-pad` should really be named more like `resume-pad`

oh look at me, 589 published packages on npm! with 5 700 quadripillion weekly installs!

[ThinkBeat]

oh there are thousands of those out there on npm. Short and trivial code. Even if you do not use them at all in your own codebase chances are quite high that some package you do use, uses some of those tiny packages.