The great npm garbage patch, sneaky serverless costs, quests over goals, rules for effective meeting culture, Timelinize, Postgres.new & more

Changelog News

Developer news worth your attention

Hello again! šŸ‘‹

Has open(ish) LLM parity arrived?! Llama 3.1 is close enough for me. Iā€™m in the process of ditching ā€œChatGPT in a tabā€ as my daily driver. So far, Ollama plus Enchanted for Mac are proving to be a powerful combo. What else should I be using/doing to maximize my gains? šŸ¤”

Ok, letā€™s get into the news.

šŸŽ§ Simply the best pods for devs

šŸŽ™ļø Into the Bobiverse (Dennis E. Taylor)
šŸ’š Picking a database should be simple (Ben Johnson)
šŸš€ The Zookeeper of jujutsu (Tim Banks)
šŸ¤– Gaudi processors & Intelā€™s AI portfolio (Ben & Greg from Intel)
ā° OpenAPI & API design (Jamie Tanna)

šŸŽ­ The best, worst codebase

Jimmy Miller:

My first job was a trial by fire, to this day, that codebase remains the worst and the best codebase I ever had the pleasure of working in. While the codebase will forever remain locked by proprietary walls of that particular company, I hope I can share with you some of its most fun and scary stories.

This post is too glorious to summarize. Just grab some popcorn and go read it. Ok, fine, hereā€™s a few samples to whet your appetite. On the database:

Every morning at 7:15 the employees table was dropped. All the data completely gone. Then a csv from adp was uploaded into the table. During this time you couldnā€™t login to the system. Sometimes this process failed. But this wasnā€™t the end of the process. The data needed to be replicated to headquarters. So an email was sent to a man, who every day would push a button to copy the data.

On the codebase:

But to describe this codebase as merely half VB, half C# would be to do it a disservice. Every javascript framework that existed at the time was checked into this repository. Typically, with some custom changes the author believed needed to be made. Most notably, knockout, backbone, and marionette. But of course, there was a smattering of jquery and jquery plugins.

Thatā€™s just the tip. Wait ā€˜til you hear the part about Gilfoyleā€™s hard driveā€¦

šŸš® The great npm garbage patch

The Phylum Research Team:

Like the island of discarded plastic twice the size of Texas floating in the North Pacific Ocean, npm has accrued an astonishing amount of spam packages over the past six monthsā€¦

Our 95% confidence interval for the estimate of Tea protocol spam in new packages over the past six months jumped to between 68.66% and 74.67%, or somewhere between 613,000 and 667,000 packages. In other words, among all new packages published to npm in the past six months, about five out of every seven packages are Tea spam.

I first covered the unintended consequence of the Tea Protocolā€™s crypto rewards back in February (issue #83). It appears the damage is even worse than previously discovered! What a messā€¦

šŸ˜ˆ The sneaky costs of scaling serverless

Zach Leatherman decided to migrate the 11ty Screenshots API off Netlify and learned a few things along the way! He ended up parking it on AWS Lambda, but shared the entire journey, plus a handy little spreadsheet that shows how different serverless providers grow based on hours of usage at various memory configurations.

Line graph with hours on the X axis and dollars on the Y. Plots include Lambda, Netlify, Vercel at various RAM configurations.

šŸ’° Dangers of compromised Git dependencies

Thanks to Socket for sponsoring Changelog News

Sarah Gooding the risks associated with using Git dependencies in open source projects:

While there are some legitimate use cases for referencing Git dependencies, and not every package that does this is malicious, itā€™s important to understand the security risks associated with them:

  • Non-Immutable Dependencies (code can be tampered with after itā€™s downloaded)
  • Unpredictability (Git tags can be moved around, much like a branch)
  • Reproducibility Issues (remote Git URLs can make it difficult to ensure a reproducible build)
  • Security Vulnerabilities (directly refs to Git repositories can bypass typical vetting processes)

Is this something you actively think about? Thankfully, Socket has your back!

Check out the article for the full rundown and how to navigate Socketā€™s Git Dependency Alert features.

šŸ§­ Do quests, not goals

I love David Cainā€™s re-framing of short-term goals (which are uninspiring) into quests!

Whereas ā€œgoalā€ has become a tired and bloodless descriptor for the (supposed) intention to do something great, the word quest instills the right mentality for achieving a real-life personal victory:

  • A quest is an adventure, and you expect it to be oneā€¦
  • A quest changes you, not just your situationā€¦
  • A quest has a dragon to slay (and itā€™s inside you)ā€¦
  • A quest can change the worldā€¦

The cool thing about quests is we already have terminology that further delineates: a side quest might take a few hours of your day, whereas a main quest may require a multi-step plan executed over many months/years. Plus itā€™s just a lot more fun to talk about!

ā€œIā€™m on a side quest to fix my Vim configā€ is a lot more fun (slash impressive) than ā€œIā€™ve been tweaking my Vim config the last 4 hoursā€ šŸ¤£

šŸ“† 7 rules for an effective meeting culture

Meetings: everybody likes calling ā€™em, nobody likes attending ā€˜em. Unfortunately, theyā€™re a necessary evil for all but the most privileged (or isolated) in the business world. So, if youā€™re going to have them, you might as well make them effective. Ashley Janssen:

Your meeting culture is the combination of etiquette, protocol and expectations for what happens before, during and after your meetings. Itā€™s all the things (good and bad) that make up how they are run and inform the participantsā€™ experience in the meeting.

Sheā€™s written a lot about how to have more effective meetings. I think this list of seven rules to follow is a great intro to how she thinks about meetings. In brief:

  1. Be on time
  2. Be prepared
  3. Be engaged
  4. Be a good listener
  5. Be inclusive
  6. Be accountable
  7. Be reasonable

Common sense stuff, really. But that doesnā€™t make it wrong! Click through for full explainers of each rule.

šŸŽžļø Clip of the week: analytics FTL?

This post by Benn Stancil was šŸ”„ā€¦ our analysis on The Changelog did not disappoint

Disband the analytics team thumbnail

ā³ Organize your lifeā€™s data onto a single unified timeline

An ambitious, new project from Caddy creator, Matt Holt:

Organize your photos & videos, chats & messages, location history, social media content, contacts, and more into a single cohesive timeline on your own computer where you can keep them alive forever.

Timelinize lets you import your data from practically anywhere: your computer, phone, online accounts, GPS-enabled radios, various apps and programs, contact lists, cameras, and more.

šŸ˜ In-browser Postgres with an AI interface

Supabaseā€™s launch week kicks off with a fun one (which Paul Copplestone teased on the show last month):

All queries in postgres.new run directly in your browser. Thereā€™s no remote Postgres container or WebSocket proxy.

How is this possible? The star of the show is PGlite, a WASM version of Postgres that can run directly in your browser. Our friends at ElectricSQL released PGlite a few months ago after discovering a way to compile the real Postgres source to Web Assembly (more on this later).

šŸ“ More $THINGs of interest

Thatā€™s the news for now, but we have some great episodes coming up this week:

Wednesday: Andreas Kling & Chris Wanstrath (defunk!) from Ladybird
Friday: Jordan Eldredge on Winamp skins & the bizarre secrets they hold

Have a great week, forward this to a friend who might dig it & Iā€™ll talk to you again real soon. šŸ’š

ā€“Jerod