back to article NBD: A popular HTTP-fetching npm code library used by 48,000 other modules retires, no more updates coming

After eleven months of planning, the npm-distributed request module has been deprecated, meaning the popular JavaScript code library for making HTTP requests is no longer supported and won't receive further updates. The almost 48,000 other npm modules that include request as a dependency won't see any immediate effect, other …

  1. b0llchit Silver badge
    Meh

    New is not always better

    ...and the code patterns at the heart of request are out of date

    I do understand the urge to do everything in the most fashionable modes all the time. However, if it ain't broken, don't fix it. The JavaScript ecosystem made the same mistake as the Java ecosystem. It has become a complexity and dependency hell. A wakeup call should have been the recent downing of an npm package.

    Yes, new paradigms and design patterns are a good thing. But being a bit conservative is also a good thing for longevity and maintainability. Complexity is hidden down the line of libraries and ripple up through the dependency chain. It is a nightmare to inherit unmaintainable old code with a blend of discontinuous paradigms and design patterns mixed. It should have been maintainable. It reminds me of the good old "Good, Cheap, Fast" choice. You still only can pick two, however, the "cheap" part is getting more and more expensive, the "fast" part is slowing down and the "good" part becomes a rather relative expression.

    1. wolfetone Silver badge

      Re: New is not always better

      "I do understand the urge to do everything in the most fashionable modes all the time. However, if it ain't broken, don't fix it. The JavaScript ecosystem made the same mistake as the Java ecosystem. It has become a complexity and dependency hell. A wakeup call should have been the recent downing of an npm package."

      The problem is with this mantra is that it doesn't make web agencies money, and it doesn't tickle the ego of the developer. They WANT the latest and greatest for their own benefit, not for the customer. They WANT the complexity it brings because it means they can charge the client more hours and get more money.

      You can sit there and argue that things should be simple, if it isn't broken don't fix it, return to the idea of KISS. But if your boss or team leader is a w****r the idea won't fly. Yet it won't be them trying to work out why a dependency has failed or why the software is no longer supported by an open source project they don't contribute to.

      </rant>

      1. ecofeco Silver badge

        Re: New is not always better

        All too damn true.

    2. Paul Hovnanian Silver badge

      Re: New is not always better

      Won't someone please think of all of the CS PhD candidates who are submitting new languages (or redefining old ones) for their thesis?

    3. CBM

      Re: New is not always better

      This one sounds like a legit case for change: It was developed when the framework was very new, and not that well explored. People have since discovered better ways of doing certain things, and trying to interoperate with the old ways just leads to piles of boilerplate. Stability can be good, but sometimes cutting your losses and moving on is better.

  2. Ben Tasker

    Seems Optimistic

    11 months notice seems a bit optimistic to me.

    Python 2 had it's EOL extended by five years, yet there were still people complaining about it's EOL earlier in the year because they hadn't started using Python3 for new projects (or porting old code over).

    I don't overly blame the guy for ending support (you've got to at some point), but I think even his caveated position is a little overly-optimistic on how long it'll take for people to move to something else. As long as request works, people'll continue using it because they're familiar with it (path of least resistance).

    At some point there'll probably be a short-sharp shock as some bug/vuln is found and people start to actively realise what it means to introduce unsupported dependencies into a project

    1. Sandtitz Silver badge

      Re: Seems Optimistic

      "I don't overly blame the guy for ending support (you've got to at some point), but I think even his caveated position is a little overly-optimistic on how long it'll take for people to move to something else. As long as request works, people'll continue using it because they're familiar with it (path of least resistance)."

      Then people would just use the request code indefinitely.

      Surely there are multiple HTTP handler libraries available that implement the same functionality? If your code relies on this module and you can't replace it in one full year or so then I think the problem is with your resource management.

      Is there a reason why this request code can't be forked or maintained by someone else?

      1. sqlrob

        Re: Seems Optimistic

        The problem is it's not just *your* resource management.

        You use a library dependent on request. You need to wait for it to propagate through. Rinse, repeat through many layers.

      2. Ben Tasker

        Re: Seems Optimistic

        If your code relies on this module and you can't replace it in one full year or so then I think the problem is with your resource management.

        You could say exactly the same about Python 2 <-> Python 3. And with that you at least don't have the issue of some module you use also relying on the deprecated module.

        The world just doesn't work that way, even if it should.

        A lot of businesses won't pay for refactoring of something that's currently working, and devs often won't go out and learn a new library if they've got one that works just fine (now) that they're very familiar with.

        None of this is the problem/fault of the requests maintainer of course, I was simply commenting on the fact that I think he's still somewhat underestimated the inertia.

  3. baud

    I wonder why such a functionality isn't just built-in the core of the language, instead of forcing all the devs to either reinvent the wheel each time or rely on third-party libraries

    1. Ben Tasker

      It's a node thing.

      Quite some time back, builds started breaking because a dev withdrew his modules.

      The biggest breakage - left-pad - a module to pad the left hand side of a string with zeros/space, very much a built in for strings in most other languages.

      It was at that point that NPM realised they needed to prevent devs from removing their code, otherwise breakage is near certain.

    2. richardcox13

      In the DOM, so on clients it is built in Fetch.

      On server side (Node.js) not so much...

    3. Recaf

      They are now

      That's kinda the point: they are now, but weren't a decade ago, and people are still importing 1,000 lines of code (or whatever) where one now does the same job.

      1. Anonymous Coward
        Anonymous Coward

        Re: They are now

        No they're not. What's new are the new styles of imports, asynchronous programming, and functional syntax.

        The functionality of requests (intelligent management of raw HTTP) is still needed, and not available in the core.

    4. DrXym

      There's certainly an argument to be made for putting things like this into the standard library. It doesn't prevent 3rd party libs from offering alternative / better / finegrained ways of doing the same, but it reduces the amount of dependencies that are required for code that just wants to do something straightforward.

      Languages like Golang have adopted this "kitchen sink" approach to their libs. Even Java has a pretty extensive http support in its runtime but you can always use Apache Http instead if you want.

  4. Buzzword

    All software is terrible

    "Developers using *INSERT SOFTWARE NAME* today are often including layers of indirection in order to port those old patterns to new ones," he said. "This shows up in bundle sizes, performance, and debuggability, and there are numerous newer libraries that don’t have these problems."

    Applies to nearly everything. Windows. Linux. Office. You name it, it's a cesspool of legacy fixes, edge case hacks, and backwards-compatibility kludges. Let's put a strict time limit on all software - ten years of active development, five years of LTS - followed by not just a rewrite, but a completely new product every decade.

    1. b0llchit Silver badge
      WTF?

      Re: All software is terrible

      So, you are suggesting to reinvent the wheel every ten years. However, the wheel is always round and has exactly the same function. Yes, bells and whistles may change, but the core remains. The computer hasn't changed that much either. It still is a simple machine manipulating ones and zeroes. Yes, faster, bigger, parallel, more shiny, more bells and whistles, etc. But the core remains.

      Why change a working system? Just for the sake of change? Or are you suggesting the ultimate employment strategy, where each younger generation is forced to abandon the previous generation's knowledge and strategies? Maybe ten years is too long. Hardware is replaced more often. Why then not force each hardware generation to be accompanied by its own software strategies? That'll create the ultimate amount of work. Lets abandon compatibility and let divergence rule... sigh.

    2. Loyal Commenter Silver badge

      Re: All software is terrible

      I will happily rewrite that working software for you, from scratch.

      You provide the requirements, and user stories, I'll put together the spec, and cost it up for you.

      Specification time is chargeable in advance.

      What do you mean, you want me to do it "for exposure"? What am I? A jobbing musician (who also won't work for free, but is used to this sort of thing)?

  5. DrXym

    If it's that popular

    Somebody will fork and maintain it.

    1. alain williams Silver badge

      Re: If it's that popular

      Maybe - but they will have to give the fork a new name or a slightly different download. That will break things - maybe not hard to fix but will need some work.

  6. Elledan

    Just Node things

    If you get the dependencies for any Node project that's older than a month or so, you'll see at least half a dozen 'deprecated' messages for direct or indirect dependencies. I wouldn't expect any project that's older than 11 months to even run any more, even if you can hit on the right NodeJS runtime version. This is fun when you're doing embedded JavaScript work (yes, it's a thing...) and have to update a two-year old app.

    If there's anything that this news shows, it's that Node/NPM isn't a framework, but just whatever scraps of JavaScript one can dig out of the skip that's parked outside of NPM HQ.Else it would have an actual standard API for basic functionality like this.

    1. Julz

      Re: Just Node things

      Node.js/NPM is a way for companies (or others) to use the JavaScript skills of people who learnt them in the ubiquitous browsers to program server side code. The results are predictable.

  7. DCFusor
    Trollface

    Waiting for the woodpecker

    "The JavaScript ecosystem is simply too large, and the dependency graphs too interdependent, for anyone to get an accurate picture of how much of the remaining dependence on request anyone should actually be concerned about."

    This brought to mind the old saying - "if architects built buildings the way programmers build code, the first woodpecker to come along would destroy society" - or something like that.

    While I could rag on Javascript specifically, there's no need as it's far from unique in this regard. We're cruising for a fall...

  8. zo0ok

    Node.js remains stable

    Thing is, Node.js API remains, it is stable and it is usable.

    You don't need request, or anything else. You never did. I wrote much of my code for Node v0.12/v4.0 almost 5 years ago. Everything still works perfectly. I am productive and I deliver business value every day.

    Your code should rely on what is truly stable and proven, even better - properly standardised. Everything else is just a distraction. Unless you just build throw-it-away proof-of-concepts.

    1. BuckeyeB

      Re: Node.js remains stable

      And how many times have "throw-it-away proof-of concepts" become production code. Quite often in my experience.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like