Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I would never recommend copy-pasting this code into your project:

https://htmldom.dev/copy-text-to-the-clipboard

I get "trying to stay vanilla", but any reasonably-common snippet should either be installed from npm or published there.

For this specific issue there's a module named almost exactly the same and it restores the previous selection and focus as well: https://github.com/sindresorhus/copy-text-to-clipboard/blob/...

This is the point of published modules: your code isn't stuck into the version someone wrote in 10 minutes 5 years ago.



> I get "trying to stay vanilla", but any reasonably-common snippet should either be installed from npm or published there.

And that's how you end up with the joke that was left-pad and the broken internet that resulted when the author yanked it.

Dependencies represent a real risk to your product. If it is actually a simple snippet, you shouldn't take that as an NPM dependency - the risk/reward ratio is just way out of whack with that.


Risk of what? You can make dependencies fully sticky with lockfiles.

Instead of adding a file to your “libs” folder you add a line to package.json

Any code that isn’t in my repo is code I don’t have to maintain.

Left pad can’t happen anymore (for 4 years now) and if you don’t know that you’re either lying or outdated (like those files in your libs folder)


NPM disallowed un-publishing modules within a few days of that incident. It's not a thing that happens any more. Also, NPM for years has defaulted to creating lockfiles with all the specific versions of dependencies pinned, so even if a dependency gets updated to have a bug, you will stay on the currently-pinned version unless you specifically change that.


> It's not a thing that happens any more

Except it literally happened again 2 years after the left-pad incident:

https://status.npmjs.org/incidents/41zfb8qpvrdj https://github.com/facebook/create-react-app/issues/3701 https://github.com/angular/angular-cli/issues/9113

But anyway whether or not the module is un-published doesn't really matter. The module could also just become malicious. Ownership changes, quality of code changes, etc... If you're pinning with lockfiles you're basically back to copy/pasting or checking in a clone of an upstream repo - the maintenance burden shifts back to you at that point. You still then have to manually go update, and remember to do that, or you become just as easily obsolete as the copy/pasted snippet.


There are downsides to use package libraries as well. Like: 200mb hello world applications, or some companies restrict npm packages for security reasons.

Or, you just want to write code in notepad.exe. There is benefit to simplicity in many cases.


It's up to you to chose reasonable modules by reasonable developers. Notice I didn't call it a library, it's a 1kb module that has the code from the example + fixes you'd want anyway.


But what is the real downside of me of me using it?

The overhead of setting up NPM, some repo when I can achieve the same thing with that snippet, seems just to over the top.


> The overhead of setting up NPM

What overhead? You don’t run any optimization step on your code? I haven’t seen a single front end project without package.json in years in all the companies I consulted for, and I don’t even deal with fancy frameworks.


I don't code in node, nor am I a developer. The overhead of using a package manager, when I can copy and paste just feels unnecessarily.

The web projects that I work on are rendered at the server and then that is displayed to the client.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: