Why Phobos is cool
Petar
Petar
Thu Jun 25 16:14:58 UTC 2020
On Thursday, 25 June 2020 at 15:30:18 UTC, Guillaume Piolat wrote:
> On Thursday, 25 June 2020 at 14:41:49 UTC, Petar Kirov
> [ZombineDev] wrote:
>>
>> So 146 number is pretty laughable in comparison. Running `yarn
>> list | wc -l` on a random project of our gives me 7368 :D
>>
>
> I'l assume your post isn't satire ^^
Yes, it's just a real, random data point, which is pretty typical
for many frontend projects nowadays :/
> This doesn't rezally work for native since:
> - there is the cost of compiling this ahead of time, which
> isn't negligible and with a cost structure unlike Javascript
> (in the best case, code has to be compiled in and then stripped
> by linker, very slow)
I know, I know. We use TypeScript, so our code and many of our
dependencies actually need to be compiled, before the program can
be executed. For example, running a project after git clone takes
between 1-10mins. (When it's more than 2-3 mins it's actually
because of C/C++. Many nodejs packages are actually C/C++ code
with JS bindings, which needs to be compiled on npm install,
because in the npm world, typically they ship only source code
and not binaries. And also because before Node didn't have a
stable ABI, so if you wanted to support Node.js versions released
in the past several years, you would have to ship 20 different
binaries of the same library :D)
But that's just the first time, because TypeScript and React.js
(through webpack) have incremental compilation, so each change
takes less than several seconds (in many cases less than 1 sec).
By change, I mean the time to typecheck and emit JS code. Of
course I'm well aware that this is not a fair comparison to pure
"native" languages.
> - native programs have many possibilities to go wrong
> (deadlocks, threading, memory allocations...) and that differs
> from project to project ; you cannot enforce any invariant with
> such a number of libraries. And it's a huge hurdle for "common
> off the shelf" libraries.
A fork bomb is possible with almost all languages in practice.
Every npm package has the ability to run random js code on
install, which runs with the privileges of the current user. "A
security nightmare" - you say, but in practice it's not that bad,
given they have invested much more than us in a process of
managing security vulnerabilities:
https://docs.npmjs.com/reporting-a-vulnerability-in-an-npm-package https://www.npmjs.com/policies/security
More information about the Digitalmars-d
mailing list