• Phen@lemmy.eco.br
    link
    fedilink
    arrow-up
    11
    ·
    9 months ago

    Speaking specifically about npm: A ton of packages used as dependencies for a million different things have very loose quality control, some even merge community PRs straight to release without checking the code in any way. More often than not I have run into packages maintained by people with no connection to the original dev and don’t even know how its code actually works.

    I remember a couple years ago I needed to read zip64 files so I picked up the zip file definition and implemented the read operation for it in the package we were using for zips. I only implemented a very small subset of the format to strictly solve my problem. I opened a pr to them saying “here’s some quickstart of you plan to add full support for zip64” - next time I checked they has merged my pr as if was and now were having folks registering issues for incomplete zip64 support.

    • taladar@sh.itjust.works
      link
      fedilink
      arrow-up
      2
      arrow-down
      2
      ·
      9 months ago

      And you think the same language ecosystem that produces those results will suddenly produce better ones when the same code is inlined, probably as a copy of some Stackoverflow code or potentially code they found on GitHub in some random fork of some other repository?

      • Phen@lemmy.eco.br
        link
        fedilink
        arrow-up
        2
        arrow-down
        1
        ·
        9 months ago

        Yes, I trust my coworkers and our company’s workflow enough to produce better code than that.