Profile picture
Gary Bernhardt @garybernhardt
, 16 tweets, 3 min read Read on Twitter
An npm module named husky destructively added pre- and post-commit hooks to my dotfiles repo (literally ~/.git!). Or maybe some other module told it to do that. I never asked for that. I don't understand why the JavaScript tool ecosystem is like this!
please don't "distrupt" my dotfiles, tech industry
Exciting update: it destructively installed 18 different git hooks.
It added this line to them:

cd "Library/Caches/Yarn/v1/.tmp/05ed5008bcb53e627e45ebc9b505a305.72b166a921bc8f83926da736ee9fef7a69a34d71.prepare"

A bizarre hard-coded path. I only noticed this because for some reason that path is gone now, so it was failing.
Maybe nvm is the one who did this? It's impossible for me to tell from these files. Whatever tool decided to add 18 git hooks to a repo without asking didn't even have the courtesy to leave a comment unambiguously naming itself.
Does anyone know what tool actually created these hooks? A few packages are implicated. Here's one of the files. The hook files are all the same other than a few points where they mention their own names.
Well there's your culprit, I guess: ->
Now I'm curious about how widespread this is. Go into your projects that use npm and do this: `grep -r husky .git/hooks`. Has it added hooks to your repo? If so, did you know that it did that? (Half the npm universe seems to depend on husky transitively, so you probably have it.)
This is a great microcosm of how programming tools have changed. In the mid 2000s, I wrote my own script to install all of our Python deps. The packages were committed directly to the hg repo. It was more work, but I knew exactly what was happening so there were rarely surprises.
I diagnosed and reproduced this. Installing husky as a dev dependency causes it. If you ever have a package.json with a dev dependency on husky, but you're not inside a git repo, husky will search through parent dirs until it finds one and add hooks to it, even if it's ~/.git.
I'd never heard of husky, though, so I didn't add it as a dev dep. And I don't know why I'd ever do `npm install` in someone else's project without a .git present. So the actual situation that caused husky to mutate my dotfiles repo probably involved more complexities.
I feel bad for newer programmers who have to work with this stuff. If I didn't know about git hooks and Unix, I probably would've just had a bunch of errors show up every time I committed (which was the symptom that led me to find those hooks).
When you see a new developer's machine spewing errors about "Library/Caches/Yarn/v1/.tmp/05ed5008bcb53e627e45ebc9b505a305.72b166a921bc8f83926da736ee9fef7a69a34d71.prepare" whenever they commit, please help them, I guess? I don't know what the moral is here.
I don't know why I'm still thinking about this, but here's a shell command that reproduces the behavior:

(mkdir tmp && cd tmp && git init && mkdir tmp2 && cd tmp2 && ls ../.git/hooks && echo '{"devDependencies": {"husky": "1.1.4"}}' > package.json && npm i && ls ../.git/hooks)
It will list the hooks in ./tmp/.git/hooks, then install husky into ./tmp/tmp2, then list the hooks again so you can see that they were mutated. Imagine that ./tmp is your home directory and ./tmp/tmp2 is a package from a tarball or some other source without a .git.
People are now replying to explain that this is my fault for using husky and not knowing what it does. I've never used husky. I learned about husky because I noticed that it had installed these git hooks.
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Gary Bernhardt
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

More from @garybernhardt see all

Profile picture
I wrote a bunch of horribly awkward code, then deleted it and replaced it with eight lines of SQL (max width 64 chars). Greetings from 1974.
Update: six lines!
"The relational view (or model) of data described in Section 1 appears to be superior in several respects to the [document database model, roughly -GRB] presently in vogue for [databases that merely store data]."

-- Codd in 1970, but could've been 2018. seas.upenn.edu/~zives/03f/cis…
Read 5 tweets
Profile picture
An NPM package with 2,000,000 weekly downloads had malicious code injected into it. No one knows what the malicious code does yet. github.com/dominictarr/ev…
There are basically two camps in that thread.

1) This is the original maintainer's fault for transferring ownership to someone they didn't know and trust.
2) Ownership transfer was fine; it's your job to vet all of the code you run.
Option 2 (vet all dependencies) is obviously impossible. Last I looked, a new create-react-app had around a thousand dependencies, all moving fast and breaking things.
Read 9 tweets
Profile picture
One of the biggest selling points during the rise of dynamic languages was that they lacked complex, fragile build processes. Fast-forward 15 years and the most popular dynamic language has build tooling more complex and fragile than many static languages. Time is a flat circle.
btw I wrote this while waiting *six minutes* for the dev dependencies to install for a very small library that I use
he died as he lived, waiting for `npm install`
Read 3 tweets

Related threads

Profile picture
1) My latest @EpochTimes Were Events Surrounding Gen. Flynn’s Moscow Visit Intentionally Misframed?

My apologies in advance. This is of necessity rather long
theepochtimes.com/were-events-su…
2) On Dec. 10, 2015, General Michael Flynn attended a dinner in Moscow honoring the 10th anniversary of Russian television network RT.

Flynn, who was seated next to Putin for the culminating dinner, was also interviewed on national security matters by a RT correspondent.
3) Flynn’s speaker bureau, Leading Authorities, was paid $45,000 for the event. Flynn received $33,000 of the total.

Flynn reportedly joined the Trump campaign in late Feb 2016 as an informal advisor on foreign policy matters—although his actual start date is not entirely clear.
Read 56 tweets
Profile picture
1/
 With the demise of The Weekly Standard, I'm afraid its Neocon minions will spread.

Like popping a zit sprays puss on the mirror:

Already the Left...er,sorry, I meant TruCon/#Never Trump...is promoting Squeaky Ben Shapiro.

Rumors are he's getting @ASavageNation's radio spot.
@ASavageNation 2/
Weakly Standard™ (sic), National Review, and the rest of the barely-disguised Trotskyites were always controlled opposition.

Reason mag, Cato, Niskanen, and other "libertarian" think tanks gather up the stragglers who are *trying* to think for themselves.
@ASavageNation 3/
By owning both sides of the field, the Left can deny any intellectual air-time to the REAL opposition.

TruCons, lazy Boomer conservatives can nod sagely at NRO or Reason "MUH LOWER TAXES" articles.

While making bugger-all difference.
Read 6 tweets
Profile picture
Jill Biden stepping out a bit more, speaking before her husband at HRC Dinner. Opens by telling story of punching a neighbor who was bullying her sister. "I hate bullies," she says
. @DrBiden talks about incorporation of LGBT "As You Are initiative to work of the Biden Foundation. "When the history books are written we want to be on the side of equality."
. @JoeBiden notes @ChadHGriffin credited him for endorsing marriage equality "early -- but it was very late," he says. Adds he had made it clear to Obama staff he wouldn't shy from question if asked directly
Read 11 tweets
Profile picture
So, it's about time I finally did it. Join me as I play Thief: The Dark Project; I've never got further than The Sword before. Thanks to the No Spiders mod from @adurdin I hope to actually finish it this time. #ThiefTDP
I'll be playing Thief Gold. I have multiple copies of The Dark Project but they'd require me to dig through boxes to find. Thief Gold is the only one reliably available online. I am reserving the right to level skip past the Thieves Guild, though. #ThiefTDP
I'll be using the New Dark version, but sticking to a 4:3 aspect ratio. #ThiefTDP
Read 639 tweets
Profile picture
Trump Hotels' website still lists Trump SoHo New York among its properties in the Our Hotels menu. Select its name though to access its page and there's a message about it being renamed

bit.ly/2EPCSy1
National politics correspondent for Newsweek, Nina Burleigh, with a fun find on a TV above the bar at the Trump Hotel DC bit.ly/2E37QRR
Two errors in the 2nd graf of Breitbart's Trump Hotel DC article:
-holdings aren't out of @realDonaldTrump's hands: trust isn't blind & he can profit from it
-Trump Org told Congress it was estimating foreign receipts—not auto donating in full
bit.ly/2CpL7z2
Read 1562 tweets
Profile picture
No denying it. August is here. That means we’re onboarding new RAs and spreading the #Git joy once again. Here’s what I give them... 1/
@michaelstepner’s blog post gives a pithy intro to why researchers should ditch Dropbox code and get with #Git. 2/ michaelstepner.com/blog/git-vs-dr…
@michaelstepner Gentzkow + Shapiro’s "Practitioner’s Guide” is the Bible for coding in the social sciences. 3/ web.stanford.edu/~gentzkow/rese…
Read 9 tweets

Trending hashtags

#Ivanka #BackTheBlue #smarticities #StoryTime #washingtondc #haha #aii #DisclosruesTribunal #pulitizer #cannabispolicy #BecauseofJesus #WeThePeople #WithHer #StoryTimeWithUche #HisNameWasSethRich #Rust2015 #gitflow #OccamsRazor #HangoutWithUcheAndSteve #bigdaga #rustlang #badumching #TalesByTweetLight #FLY #makeamericagreatagain

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member and get exclusive features!

Premium member ($30.00/year)

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!