Hacker News new | ask | show | jobs
by culi 26 days ago
"unsafe" seems quite different from the "dangerously [...]" phrasal template. I don't think it's a stretch to suppose it was inspired by React. Still waiting for this one to catch on:

  React.__SECRET_INTERNALS_DO_NOT_USE_OR_YOU_WILL_BE_FIRED
https://github.com/reactjs/react.dev/issues/3896
1 comments
urbandw311er 26 days ago
This is sometimes exposed in front end browser code and I had an actual (non technical) end user email our support team last month asking if it was something they should be concerned about! God knows how they found it, I suspect everyone is now an AI-enabled expert at these thingsā€¦
link
culi 26 days ago
Oh I've stumbled upon it myself while coding. You can ctrl/cmd-click into any React type and it will take you to its explicit source definition. I'm not sure if it's still the case but they used to have all of the types organized into a single file. Since I was the go-to TypeScript person at one job I had I made sure to familiarize myself with every type (less than you'd expect)
link
moritzwarhier 24 days ago
The point of that scary flag name was the stance that source maps should never be deployed in production.

There are stances that say they should, browse a large SPA with complex working source maps enabled, DevTools open, cache disabled and a long session (relevant because of HMR in dev), and you can see why this matters.

Browsers only fetch and process source maps in a development environment in production, that's why this flag name exists.

That being said, I still have a hobby project with an (in my opinion) sensible (at the time) Webpack configuration, and glossed over this being in the minified bundle, after 1-2 days at the time.

But if my hobby project would have been something production-relevant, I'd have continued to hunt down this artifact.

I think, with Vite et al this should not appear anymore in current JS bundles ready for prod, so the name is apt.

But the underlying problem is still a neverending source of frustration: minification is (by definition, when it's statically verifiable), not equipped to change object property names without provoking breakage.

link
culi 21 days ago
I don't think it ever appeared in JS bundles. I'm just saying it's available to any dev in their IDEs with a simple ctrl+click
link
moritzwarhier 17 days ago
In Webpack times, early React 18 days, manual config, "ejected" and adjusted from CRA, I did have it in my production bundle.

I just gave up checking on why after a couple hours because it was a hobby project.

Haven't seen it in a long time since then, but there are many overlapping factors here.

As far as I know, Vite/Rollup tree shaking is strictly better than what Webpack + Terser did, but I'm wondering where the difference comes from.

Maybe it's even a JSDoc annotation or something else that is esoteric.

Because tree-shaking all property names in JS without making static analysis arbitrarily complex, is still not possible.

So, if the change was not on React's side, I'd guess it is in bundler minifying heuristics or a backwards-compatible change that makes the property name inaccessible and erasable by other means.

link