- cross-posted to:
- programmer_humor@programming.dev
- cross-posted to:
- programmer_humor@programming.dev
You must log in or register to comment.
found 7745962577 vulnerabilities (7653345675 low, 91726393 medium, 817263 high, 73246 critical)Can you explain this to me?
Vulnerabilities are flaws in software that may allow an attacker to gain control of or eavesdrop a system.
They are categorized into low, medium, and high severities based on how easy it is to exploit the vulnerability and how much damage a successful attack utilizing that vulnerability would do.
I’ll add that you get these vulnerability reports whenever you install a new module into a node project, though the example here is extreme.
Which is of very little importance in most cases, because modern bundlers incorporate treeshaking in order to filter out all the unused code when you’re building a production application
Edit: okay well appearently that’s controversial for some reason
I didn’t know about treeshaking (still unsure what it is exactly since I’m not a js Dev), but I’m guessing it still takes up Gigs of space in the project folder of every Devs PC, duplicated for each project.
It does take a lot of space for devs, but personally I find that absolutely irrelevant, because it’s your end user’s experience that really matters, and - as a dev - you are most likely to have a much better rig and internet connection than your average Joe.
Sure, in many cases the dev’s computer is powerful enough to handle that.
However:
- The more the dependencies, the more likely it is to pull-off a supply chain attack. Any of those thousands modules can be compromised and infect either the user or the developer.
- Not all computers are optimized for working with so many tiny files. Have you ever worked in a company that uses McAfee Antivirus? Even Defender can be a massive performance hit in some cases.
I have to say that I may be a bit ignorant, because I’m mostly engaged in greenfield projects with very tiny devteams and I always keep my dependencies count low as possible
Thank you for pointing this out, that’s very valuable to keep in mind
Tree shaking is essentially reducing the amount of included code to only the stuff being used.
Let’s say you have a JAR, DLL, or whatever with 5 functions.
Your application calls function A which also calls function B of the DLL/jar.
Tree shaking says “hmm, if I follow the code execution path, I only need 2/5 functions from the DLL/jar” and discards the remaining 3/5 functions.
This significantly reduces the bundle size (the bundle is what is sent to the browser).
Some use ‘pnpm’ package manager, alternative to default, where the packages are downloaded once to a central location, and per project directory, it links to the original location so files aren’t duplicated saving space
node_modules might take a lot of space on a dev machine, but as op said, only the files used are packed into web artifacts that are deployed.
So 12gbs can end up as 10mb, arbitrary number to highlight significance of tree shaking.
this assumes the dev is smart enough to do --save-dev
