Go to the profile of John Mann
John Mann
A fun loving developer who likes to write about, talk about, and teach tech solutions, and help others succeed!

The internet is going to break

I thought this was going to be forecasting, but the trend has already begun.

Recently, a single NPM package took down over a million web sites. Here is a link to what happened.

However, that is only the beginning. Node.js is growing in popularity and node.js is really useful and practical when used correctly. The problem is this, no one really knows how to use it correctly. So-called developers are including packages of packages and people are finding a good github starter kit and calling it production ready code. There is a great use for a starter kit, so you can learn how it works or prototype with it. Do NOT release it into production. A recent starter kit that I am a big fan of included at the top level over 400 dependencies. Pay attention, AT THE TOP LEVEL. Those dependencies include several other dependencies that I may not even be aware of.

I have attended many hackathons/startup weekends recently, I often hear, “Oh, just install this package, that will solve it”. Awesome, you got them over the hump and they learned absolutely nothing. More importantly, that person who recommended it may be malicious and have them install a package that does what they need, but a little bit more that they absolutely don’t want. That package then gets recommended by them to another developer. The perpetuation of malicious code continues.

We haven’t forgotten how to code as some suggest, I think we know how to code, we just have gotten lazy and don’t care to do it ourselves. If you investigate Express.js the most common web framework for node, you will see 248 Files, 54 Folders to simply install that. That is 248 files I should review and validate to make sure there is no malicious code from that version of the package that I am installing.

If you install browserify, you are including 2,062 Files, 593 Folders!

That seems NUTS to me. I know that the .Net Framework has recently been open sourced and it has random contributors now. So feel free, to mention that the .Net Framework has countless libraries that are included, I already know. The difference is they were written by a corporation that has coding standards, a QA department, and several teams working together on the framework. My point is this, we are moving toward relying on multiple packages that we know nothing about nor do we often care to know about as long as it works. We are moving faster and faster, including more and more packages, and producing less and less maintainable code.

The internet is going to tumble without good developers taking pride in their code, and all the dependencies that they are relying in. We are either going to reach a tipping-point when the packages are going to be so massive and so difficult to debug that one malicious sub-sub-sub-dependency that we are going to scrap it all and go back to Java, C++, or C# and rely on enterprise backed frameworks like .Net or Java. We are moving more and more to the client and as it always has, it will shift. It will shift back to the server where we can have more control again.

Accountability, integrity, and a general concern for those who are using your package, using your code, and even contributing to your code needs to happen. There are several models where it works great until the human factor comes into play. It only takes one malicious person to create a bad package that has been included in so many others. Then what.

Pay attention to your code, to your dependencies, just because everyone is using it, does not make it secure, or stable.

Write clean, readable code.

If you need something, think if you can do it simply yourself rather than immediately looking for a package/module to solve it for you.

Innovation does not come from copying, it comes from creation.

Don’t break the internet because you are lazy.