Sadly, it’s a stupid dependency of a lot of things.
Just ran npm explain is-number on one of my projects, and it’s a dependency of to-regex-range which is a dependency of fill-range which is a dependency of…and so on up the chain.
I was hoping I wouldn’t find that in there, but alas, it is.
I don’t get the concept that depending on 7 lines of code from a third-party package is remotely acceptable. It’s expanding the potential attack surface to save a dev from templating 7 lines of boilerplate. There’s no net benefit or appreciable time saved.
I’m glad I don’t have to deal with this regularly.
ETA: The package is even MIT licensed! There’s no excuse but laziness and not wanting to understand the code to import this rather than inlining or implementing a novel version. If I can spend the time to write:
It handles a few weird edge cases, mostly. Only 7 meaningful lines of code and almost 70M downloads week!
Sadly, it’s a stupid dependency of a lot of things.
Just ran
npm explain is-numberon one of my projects, and it’s a dependency ofto-regex-rangewhich is a dependency offill-rangewhich is a dependency of…and so on up the chain.I was hoping I wouldn’t find that in there, but alas, it is.
Given that this screenshot is about
to-regex-rangeI think they might be on to something!🤦♂️😆
Didn’t even catch that in the screenshot. lol
I don’t get the concept that depending on 7 lines of code from a third-party package is remotely acceptable. It’s expanding the potential attack surface to save a dev from templating 7 lines of boilerplate. There’s no net benefit or appreciable time saved.
I’m glad I don’t have to deal with this regularly.
ETA: The package is even MIT licensed! There’s no excuse but laziness and not wanting to understand the code to import this rather than inlining or implementing a novel version. If I can spend the time to write:
after every function call…I just didn’t get it.
You’re right, it’s not sane! The js ecosystem is hell