Languishing lodash library loophole finally fitted for a fix: It's only taken since October to address security bug A lingering vulnerability in lodash, a popular JavaScript helper library distributed through package manager npm, has prompted developers to kvetch about the fragile state of security. The occasion for the renewal of what's been a longstanding concern was the publication on Wednesday of an npm security advisory, which should …
The website is the car in this analogy, we know its useful and its serves many purposes. To build the car we need some way to send and receive data, style it, and get user input... etc
This stuff all exists, and has done for a long time. You can hand crank HTML etc and what you get is rock solid. All these libraries do is change the way you build your wheel, your axle. Yes it seems faster but you trade stability/maintanability/security/performance and simplicity for development speed alone...
I honestly am not advocating hand cranking code, but the trade offs need to be made only in appropriate places, not "use this 1 framework to solve all your problems". You're building a car, so it makes sense to reuse the frame of another manufacturer, but other than that its best to just do it yourself.
Its not innovation to reinvent the tools to build the wheel, it's procrastination; and besides, using different tools every time you build a car is upsettingly inefficient
Critical open source with too few to maintain it is a serious problem, but people are working on it.
The Ford and Sloan Foundations are supporting research to understand the issues: https://www.fordfoundation.org/campaigns/critical-digital-infrastructure-research/
In particular, have a look at Nadia Eghbal's report: https://www.fordfoundation.org/media/2976/roads-and-bridges-the-unseen-labor-behind-our-digital-infrastructure.pdf
OpenSSL is a prime example. Google, IBM, Microsoft, Intel and Facebook are now contributing to its maintenance: https://arstechnica.com/information-technology/2014/04/tech-giants-chastened-by-heartbleed-finally-agree-to-fund-openssl/ .
This post has been deleted by its author
Most people probably use Lodash to try to reduce the uncertainties of writing JavaScript*.
As pointed out here you can do without Lodash. But in many cases the native ES5/ES6 code is more verbose or less transparent than the Lodash alternative. Your therefore have the choice of inlining the native code everywhere, which lays up technical debt for the inevitable day when a defect is discovered in it, or writing your own library, which is really just dogfooding Lodash.
* Probably because I'm an old fart who learned coding on less high-spirited languages, I find JavaScript a constant source of anxiety, even though I spend a lot of time on it these days. It's bizarre they way it puts Tony Hoare's billion-dollar mistake in the shade by having three kinds of nullity, even though it only has about half a dozen datatypes that are constantly turning into each other.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
