NPM – "is-even", 160k weekly downloads

247 点作者 st_goliath超过 3 年前

46 条评论

732K downloads per month.722K of those downloads come from this package by the same authors: <a href="https://www.npmjs.com/package/handlebars-helpers-ncc" rel="nofollow">https://www.npmjs.com/package/handlebars-helpers-ncc</a>The handlebars-helpers-ncc package contains 130 different utility dependencies including a few actually useful things like functions to convert Markdown to HTML, but also some weirdly trivial packages like is-even.I suppose this was a brilliant way for the authors to generate staggeringly high NPM download counts for their packages: Repackage other people’s useful code into convenience functions and then include their own trivial package dependencies several layers deep to multiply their overall downloads count.I wonder how many jobs they’ve applied to while bragging about their millions of monthly NPM downloads.

评论 #29242763 未加载

评论 #29243159 未加载

评论 #29243152 未加载

评论 #29242756 未加载

评论 #29242728 未加载

评论 #29242760 未加载

评论 #29243233 未加载

评论 #29243121 未加载

评论 #29245334 未加载

评论 #29243387 未加载

评论 #29254463 未加载

评论 #29243102 未加载

评论 #29242731 未加载

评论 #29242723 未加载

jeroenhd超过 3 年前

Ha, I remember this package. It's a dependency of a dependency of a dependency in several projects inside the company I work for. I think either React, Babel, or Webpack depended on it at some point in time.Nobody needs to write satire about the state of Javascript package management when people write (and use!) libraries like these.

评论 #29242547 未加载

评论 #29243020 未加载

评论 #29242524 未加载

sethammons超过 3 年前

The entire package boils down to the following. I find it funny.<pre><code> 'use strict'; var isOdd = require('is-odd'); module.exports = function isEven(i) { return !isOdd(i); };</code></pre>

评论 #29242187 未加载

评论 #29242556 未加载

评论 #29242634 未加载

Grieving超过 3 年前

2̶7̶ 2 dependencies, travis ci configured, fully tested and documented, even the readme depends on some external tool. github username is i-voted-for-trump. Looks like a joke that people actually started using.edit: Confused dependents with dependencies

评论 #29242225 未加载

评论 #29242209 未加载

评论 #29242173 未加载

评论 #29242237 未加载

评论 #29242165 未加载

rectang超过 3 年前

Adding a package like this as a dependency is a net negative, because for the sake of trivial functionality you take on all the supply chain overhead and security risk.The culture of relying on small dependencies needs to adapt to account for security. It's one of many aspects of open source supply chain management due for a reckoning.

评论 #29242789 未加载

globalise83超过 3 年前

Ironic that this post makes it to front page but an admission that any npm package published before 2020 may have been hacked gets no interest! <a href="https://news.ycombinator.com/item?id=29234098" rel="nofollow">https://news.ycombinator.com/item?id=29234098</a>

评论 #29242388 未加载

game_the0ry超过 3 年前

This is beautiful.From the github user's ("i-voted-for-trump") bio:> This is a joke. You'll only see this org if you are attempting to troll me about repositories I created when I was learning to program.I give this troll effort a score of 9/10. Well done - love the testing, readme, docs, continuous integration, etc. Honestly, this is better than most enterprise software I see.I might contribute for fun and lulz...EDIT - read some of the comments and there is some anger and confusion. Folks, this is a troll. Yes, npm and the JS ecosystem have some flaws, but let's not get bent out of shape.

评论 #29243608 未加载

评论 #29243621 未加载

eunos超过 3 年前

Why can't NPM has something like Apache commons? There you can include all simple and fundamental functionality. Instead of having one package each like this.

评论 #29242402 未加载

评论 #29243651 未加载

locallost超过 3 年前

<a href="https://github.com/i-voted-for-trump/" rel="nofollow">https://github.com/i-voted-for-trump/</a>> i-voted-for-trump> This is a joke. You'll only see this org if you are attempting to troll me about repositories I created when I was learning to program.> is-odd> I created this in 2014, the year I learned how to program. All of the downloads are from an old version of <a href="https://github.com/micromatch/micromatch" rel="nofollow">https://github.com/micromatch/micromatch</a>. I've done a few other things since: <a href="https://gith…" rel="nofollow">https://xn--gith-tc7a</a>

madacol超过 3 年前

The developer's most recent PR merged, with drama included <a href="https://github.com/jonschlinkert/cache-base/pull/23" rel="nofollow">https://github.com/jonschlinkert/cache-base/pull/23</a>I'm not sure what to think about this guy, but I think it's more guilty those packages that decide to depend on these dependencies rabbit holes and is also fault of the platform for not showing how deep the dependency-chain goes.We should focus more on improving how we choose dependencies

评论 #29250423 未加载

haolez超过 3 年前

How does your company protect itself against supply chain attacks on NPM? At my company, we try to keep dependencies at a minimum, but I doubt this is effective as a protective measure.

评论 #29243033 未加载

cool-RR超过 3 年前

This package is useful if you can't even.

评论 #29246448 未加载

penjelly超过 3 年前

isEven is ridiculous but appears to be a joke so thats fine. isOdd being an actual dep is ridiculous and i dont think its a joke? edit: yeah is-odd seems to be a serious project. This is one of the first things people learn in a new language and we have a package for it? I guess its a teaching point? or maybe the author just wanted reputation..

Turing_Machine超过 3 年前

Its dependency, is-odd, has 431,198 weekly downloads.

评论 #29242229 未加载

评论 #29242151 未加载

评论 #29242139 未加载

评论 #29242147 未加载

croes超过 3 年前

Sorry but I cannot take seriously any programmer who uses the package deliberately.

JohnWhigham超过 3 年前

Why doesn't the ECMAScript Committee tackle low-hanging bullshit like this?

评论 #29242655 未加载

dpweb超过 3 年前

These packages serve a very useful purpose in that they illustrate dependency abuse, but the fact isOdd DEPENDS ON isEven and isNumber is pretty funny.

jilles超过 3 年前

Various boilerplate projects use "is-even" as a joke. It's meant to be removed from your package.json when you start your project.

thunderbong超过 3 年前

The code:<pre><code> 'use strict'; var isOdd = require('is-odd'); module.exports = function isEven(i) { return !isOdd(i); }; </code></pre> <a href="https://github.com/i-voted-for-trump/is-even/blob/master/index.js" rel="nofollow">https://github.com/i-voted-for-trump/is-even/blob/master/ind...</a>

beepbooptheory超过 3 年前

Thoughtful of the developer to add type defs.

worik超过 3 年前

Why is that even a package?Hmmm... Why NPM? Why Node.js?I am staying well clear of this in any important infrastructure.I build test frame works out of Node.js (I had a set of bad choices) so I can get to know the thing. Made me hate it more.All the mistakes ever made in computing rolled into one convenient system. Do not use this in important infrastructure. It is very bad.

feketegy超过 3 年前

There are two contributors to this package.

gzer0超过 3 年前

<a href="https://github.com/jonschlinkert" rel="nofollow">https://github.com/jonschlinkert</a>Interesting, 845 repositories by the user, and the vast majority of them are simple NPM modules such as this one.Has there been any recent instances of someone abusing simple NPM repos like this for malicious intent?

Pensacola超过 3 年前

Funniest thing about this is that is-even requires as a dependency another node package written by the same author, called "is-odd." the is-even code just returns !is-odd. The "is-odd" package actually contains the logic for determining if a number is odd or even.

aledalgrande超过 3 年前

This issue of dependencies is exacerbated when a popular library has old and unmaintained dependencies 2-3 levels down that have security holes, and taking them out is a huge refactor.I hope the JS community is moving away from this model, and I think a good example of that is DayJS.

lhorie超过 3 年前

<a href="https://www.npmjs.com/package/is-ci" rel="nofollow">https://www.npmjs.com/package/is-ci</a> tells you everything you need to know about where inflated download numbers comes from.

评论 #29242687 未加载

baal80spam超过 3 年前

I see a missed opportunity for an "is-odd-or-even" package. /s

评论 #29242198 未加载

评论 #29242417 未加载

floatingatoll超过 3 年前

See also:I will pay you cash to delete your NPM module <a href="https://news.ycombinator.com/item?id=29240952" rel="nofollow">https://news.ycombinator.com/item?id=29240952</a>

lloydatkinson超过 3 年前

So, who's going to be the person to find all these dumb packages and replace them with PR's to their dependents? Make PR's to repos using is-even, is-odd, etc with n % 2 == 0; etc?

评论 #29242669 未加载

评论 #29242597 未加载

评论 #29242580 未加载

soheil超过 3 年前

What's odd is that "is-odd" has 430k weekly downloads.<a href="https://www.npmjs.com/package/is-odd" rel="nofollow">https://www.npmjs.com/package/is-odd</a>

mynameismon超过 3 年前

During the week between 22nd and 28th Dec 2020, it shows a spike. Not an ordinary one, but more than 100x the regular figure! 19,960,098 downloads to be precise.Edit: whoops, 100x

listless超过 3 年前

If I ever have an interview where I can use this, I’m 100% doing it and I hope that people appreciate it as the social commentary that it is.

davidhariri超过 3 年前

Who wants to make an is-not-uneven package with me?

jillesvangurp超过 3 年前

Anyone wants to take a bet that there are multiple packages called is-odd that depend on this one?

shashashasha___超过 3 年前

well, at least it gets an input and returns an output. what about this one <a href="https://www.npmjs.com/package/noop2" rel="nofollow">https://www.npmjs.com/package/noop2</a>it has almost 90k downloads a week

moray超过 3 年前

what happened between the 22 and 28 of December 2020? Almost 20 million downloads...

评论 #29242636 未加载

jacomoRodriguez超过 3 年前

this may no seem like an odd comment (please at least admire the pun), but generally I can see value in this. All this stuff is-even and is-number is doing to make sure that it is actually a number, throwing errors etc. pp. sure, I could do it myself, but I would probably miss half of the cases and would spend some time finding the right solutions for the other half. Why I should reinvent the wheel if someone already has, and that in a good and thought through way? Don't get me wrong, there are tons of needless packages on npm, but in this case I can see the value (ok, maybe the is-odd is one too much and !is-even would be enough)just to to trigger a bit more: Pretty sure a case manufacturer could develop it's own screws... but I think in most cases they just use what someone else provides...

评论 #29243273 未加载

评论 #29243039 未加载

johnsonap超过 3 年前

somehow "is-odd" has even more <a href="https://news.ycombinator.com/item?id=29242598" rel="nofollow">https://news.ycombinator.com/item?id=29242598</a>

maxpert超过 3 年前

Hilarious! It takes dependency on is-odd and just does a not (`!`).

Cthulhu_超过 3 年前

And the current repo's owner is "i-voted-for-trump"

aerojoe23超过 3 年前

The source requires is-odd... and then ! the call to it.

squid_demon超过 3 年前

Which has a freaking DEPENDENCY on is-odd! Seriously?

claudiug超过 3 年前

this remind me of the standarjs dude, that add some nice ads on logs, just because he want it. standajs, is a yml config file. that is all

keeganjw超过 3 年前

It even has one dependency, package is-odd

emodendroket超过 3 年前

This package in turn depends on is-odd.

hahamrfunnyguy超过 3 年前

Why would you even use this?