#19 / Jul 8, 2021

npm audit: Broken by Design

Dan Abramov expresses frustration about the current state of npm audit, security vulnerabilities, and—to borrow his 👌 term—"security theater".

From a frontend standpoint, the root of that frustration is that most of the flagged theoretical vulnerabilities tend to be in packages that run at build time (in the terminal) and not at runtime (in the browser). This makes the vulnerable party you and not your users. On top of that, leveraging most of these vulnerabilities requires access to your source code or your machine.

TLDR: most of these are not real threats. And they very well could be drowning out real threats.

Component Story Format 3.0

The Storybook team has just announced a new version of their Component Story Format (CSF). New niceties include a variety of changes to decrease story boilerplate. New story objects allow for easier composition, and automatic render functions and story titles provide sane defaults.

But the real game changer is what Storybook is calling "play functions," which allow simulating user interaction within a story. This is huge for demonstrating complex states of components, especially when those states cannot be reproduced via props.

YAGNI exceptions

A list of exceptions to the YAGNI rule-of-thumb. In other words, things you likely are going to need at some point (or wish you had). Two I appreciated:

Logging. Especially for after-the-fact debugging, and in non-deterministic or hard to reproduce situations, where it is often too late to add it after you become aware of a problem.

Timestamps. [...] instead of a boolean flag, e.g. completed, a nullable timestamp of when the state was entered, completed_at, can be much more useful.

Getting Unstuck

Jonas Lundberg writes about what to do when you're stuck—unable to figure out why your code is behaving differently than you expect.

I liked this point about ego getting in the way:

Ego is the enemy

The longer I've programmed the more likely I am to get badly stuck once I do get stuck. Why is that? My fragile inflated ego. Programming for a long time equals the "I know what I'm doing" mindset. [...] "I know what I'm doing" makes it hard to recognize what you don't know (yet) and hard to admit.

Reasons to Listen to Whom You Don’t Agree With

Jens Oliver Meiert reminds us why listening to people we don't agree with often leads to a positive outcome.

Just as there's frequently more to learn from failures than successes, there can be more to learn from people we disagree with than those we agree with. And, as Meiert points out, blocking out those we disagree with is like slowly curating our own personal echo chamber. Yikes.