DEV Community

Kushal Niroula for The Coffee Coders

Posted on

Any thoughts on create-react-app breaking due to one line npm package

It seems like create-react-app broke because of an error in one of its npm dependency. The dependency itself is just one line of code, more specifically it checks to see whether a certain object is like a promise or not (is an object with then method).

https://github.com/then/is-promise/issues/13#issuecomment-619402307

The issue seems to have been resolved, as I can create a new react app using create-react-app

This situation reminds me, and apparently many others, of the time when one package was unpublished from npm and caused many projects to fail.

https://arstechnica.com/information-technology/2016/03/rage-quit-coder-unpublished-17-lines-of-javascript-and-broke-the-internet/

The package under question here is is-promise and has this code

function isPromise(obj) {
  return !!obj && (typeof obj === 'object' || typeof obj === 'function') && typeof obj.then === 'function';
}

Enter fullscreen mode Exit fullscreen mode

So what are your thoughts on it? Should such trivial functions be inlined? Or are there better alternatives?

Top comments (6)

Collapse
 
emma profile image
Emma Goto πŸ™

I'll admit I don't know that much about npm and dependency management (so take what I say with a grain of salt), but should packages like create-react-app be more wary of accepting minor version bumps of dependencies? In this case is-promise went from v2.1 to 2.2 and then caused this issue, should create-react-app (or whatever dependency it relied on that in turn relied on is-promise) have not automatically accepted this version bump?

I know it's not directly create-react-app's fault, but I wonder what we can do about it from the perspective of the packages that use these dependencies. What's stopping someone from putting dodgy code in their widely-used package and doing a minor version bump?

Collapse
 
kushal-niroula profile image
Kushal Niroula

I think we should be explicit about the version that we depend upon and change the dependency version only when we are sure that we want to upgrade and that our code does not break. I know this means more work to do and keep track of, but maybe it is the price we have to pay for stability, and especially in case of popular packages like create-react-app.

Collapse
 
brunooliveira profile image
Bruno Oliveira • Edited

My thoughts is that it just shows that the whole JS framework bandwagon is a prime example of horrible decisions escalating in the wrong direction. Simple. It is also an example of what will KEEP happening, until better engineering decisions start to be made and people start owning their choices and code responsibly. It is pure garbage and negligence.
It's the typical example: if a doctor would try to treat you without any safety measures, if you noticed he was nervous, sloppy, if his office was full of garbage, probably you'll walk way.... In Computer science we do the opposite.

Collapse
 
kushal-niroula profile image
Kushal Niroula

In Computer science we do the opposite

Not sure if that is true. That is why we have typescript πŸ˜„

Collapse
 
isajal07 profile image
Sajal Shrestha

I just randomly opened this DEV article on React. And saw my fellow countrymen from Biratamode. Just wanna wish Good Luck with your company at Birtamode. :)

Collapse
 
kushal-niroula profile image
Kushal Niroula

Thanks, man. It's always nice to hear from someone from my own country. That is why I have been recommending dev.to to all of my colleagues; being a part of a community like this is very rewarding.

Wish you good luck with your endeavors too.