Honestly I don't hate the language itself that much (I'm just learning it though so who knows) but developing with it fucking sucks. First npm installs a thousand dependencies, then you have to use it to install an entirely different package manager (yarn) and hope it works.

If you're using npm, you install a package or two that you're working with and get 10+ vulnerabilities. It tells you to run "npm audit fix" so you do it, but it just lists the vulnerabilities again and tells you to run "npm audit fix", so apparently you're just stuck with those.

Then you try running your react app and it crashes with an error about failing to stat a random file in your home directory. It turns out that you mistyped an import, and instead of giving an error about that it recursively backs up and checks every single file to see if it's the one it's looking for. Cool.

  • blobjim [he/him]
    ·
    edit-2
    3 years ago

    What they should have done was never have HTML+CSS via HTTP in the first place. Just make everything a full page Java applet boom done. Every 'interchange' format eventually turns into a virtual machine (as the web did instantly) so why not just start off by making the whole thing a remote code execution sandbox? Just give the programmer WebGL via WebAssembly and nothing else. Instead the web is based on a bunch of text file formats 🤣 TEXT FILE FORMATS!!!! EVEN HTTP WAS BASED ON PLAINTEXT!!! NEVER DO TEXT KIDS. Clown world.

    But instead, WebAssembly is being pushed by Google et. al. as just another add-on that increases the barrier to browser implementation and increases its complexity. Like just make the browser a VM bro lol its not hard 😂.

    Like literally just download a WASM blob via TLS socket and execute it. That's it. Web solved. But now they're trying to add exceptions and garbage collection to WebAssembly. NO NO NO NO NOOOOOOOOOOOOOO!!!

    • Shrek
      ·
      edit-2
      3 years ago

      deleted by creator

      • blobjim [he/him]
        ·
        3 years ago

        Yeah but that's just because it wasn't really designed for sandboxed execution initially. If they actually standardized something (like they have now with WebAssembly) it would obviously be designed for security.

      • blobjim [he/him]
        ·
        edit-2
        3 years ago

        That's will never happen though. It isn't flexible enough so there will always be some kind of VM added to stuff like that. People want to be able to create programs that can be run easier than downloading and installing one to a computer (which has no sandboxing whatsoever). Better to just start off with something simple than tack it on. It's still possible to have plenty of functionality without being able to do very good fingerprinting.

    • ComradeBongwater [he/him]
      ·
      3 years ago

      Lol you joke, but I'd vastly prefer either browsers being a VM over TCP or pure document formats. This hybrid shit brings the worst of both...little control over execution, piss-poor sandboxing, but built from a stapled together pile of obfuscated document formats.

      I have very mixed feelings about WASM. It may kill any modicum of user control we have left, but it will also make it easier to dev in whatever language I want and target the web.

      At this point, we should just scrap the web and start over.

      • blobjim [he/him]
        ·
        edit-2
        3 years ago

        Yeah good point about user control. Although it isn't like most fancy webpages these days can be controlled or understood easily anyways. Better off just doing better sandboxing than trying to do any kind of introspection on documents and stuff, if that's the goal. And you can read website source code for lots of open source projects (hexbear.net lol), so it's not like you get much from being able to look at the stuff transmitted to your browser. I'm sure there will be tools eventually to see what WASM "syscalls" are being made if there aren't already ways, and you could probably create hooks for them too, in order to control what websites can do, without writing a new browser.

        One issue with creating and using alternative formats is security, since most of the security stuff requires a budget and is only done for stuff that's actually used. But if you could build something out of existing libraries, like TLS sockets from library A and a WASM VM from library B, there probably wouldn't be much room to create security problems that don't exist already. And some small orgs could use a different protocol (there's already some stuff like this obviously).