Why Phobos is cool

Thu Jun 25 16:14:58 UTC 2020

On Thursday, 25 June 2020 at 15:30:18 UTC, Guillaume Piolat wrote:
> On Thursday, 25 June 2020 at 14:41:49 UTC, Petar Kirov 
> [ZombineDev] wrote:
>>
>> So 146 number is pretty laughable in comparison. Running `yarn 
>> list | wc -l` on a random project of our gives me 7368 :D
>>
>
> I'l assume your post isn't satire ^^

Yes, it's just a real, random data point, which is pretty typical 
for many frontend projects nowadays :/

> This doesn't rezally work for native since:
> - there is the cost of compiling this ahead of time, which 
> isn't negligible and with a cost structure unlike Javascript 
> (in the best case, code has to be compiled in and then stripped 
> by linker, very slow)

I know, I know. We use TypeScript, so our code and many of our 
dependencies actually need to be compiled, before the program can 
be executed. For example, running a project after git clone takes 
between 1-10mins. (When it's more than 2-3 mins it's actually 
because of C/C++. Many nodejs packages are actually C/C++ code 
with JS bindings, which needs to be compiled on npm install, 
because in the npm world, typically they ship only source code 
and not binaries. And also because before Node didn't have a 
stable ABI, so if you wanted to support Node.js versions released 
in the past several years, you would have to ship 20 different 
binaries of the same library :D)
But that's just the first time, because TypeScript and React.js 
(through webpack) have incremental compilation, so each change 
takes less than several seconds (in many cases less than 1 sec). 
By change, I mean the time to typecheck and emit JS code. Of 
course I'm well aware that this is not a fair comparison to pure 
"native" languages.

> - native programs have many possibilities to go wrong 
> (deadlocks, threading, memory allocations...) and that differs 
> from project to project ; you cannot enforce any invariant with 
> such a number of libraries. And it's a huge hurdle for "common 
> off the shelf" libraries.

A fork bomb is possible with almost all languages in practice. 
Every npm package has the ability to run random js code on 
install, which runs with the privileges of the current user. "A 
security nightmare" - you say, but in practice it's not that bad, 
given they have invested much more than us in a process of 
managing security vulnerabilities: 
https://docs.npmjs.com/reporting-a-vulnerability-in-an-npm-package https://www.npmjs.com/policies/security