# Work log, 12022-01-17

Contents

I’ve been doing these “work logs” publicly for a week now. The process is easy – when I sit down to start a workday, I start a new Markdown file. During the day I document what I’m doing, broadly, noting things like breakthroughs, frustrations, insights, useful links that come up. At the end of the day, instead of just forgetting the document exists, I commit it to my blog repo. Perhaps the public nature of this will come back to bite me at some point, but for now this is having a positive effect on me. In particular:

• It keeps motivation fairly high because I see progress.
• The public nature pushes me to continue (even if nobody is reading this).
• The process has built-in rubber ducking.
• I have gotten feedback from friends who have pointed out ways to do things better.
• Links accumulate somewhere useful and relevant.
• There’s a scratchpad for ideas always handy.

This last bit is kind of big. For a few years now I’ve maintained a general purpose scratchpad, but it’s a mess and rarely fit for purpose. At best it serves as a storage for text that doesn’t have a clear home yet. At worst, it’s a dumping ground for half-baked ideas, but without any context or chronology. This isn’t necessarily a more coherent dumping ground, but it has some context at least.

Anyway, I’m going to continue this for a while at least. See how it goes.

Noting all of the above, the point about motivation is real, but it certainly isn’t guaranteed.

A chunk of today was spent working on a React-based frontend. First off, the entire Javascript ecosystem is a pile of poop. It’s got such a horrendous cargo cult mentality that it appears to be incapable of actually making software that actually works.

So, a solid three hours were spent chasing dependencies. I wanted to get rid of critical security vulnerabilities as reported by NPM, but of course doing so required upgrading some packages. Except, circular dependencies. After fighting this for about half an hour, I figured I’d go through one by one, manually check the most recent version, update the package.json appropriately, and continue until done. Except, of course, there were dozens of packages that could depended on ancient versions of other packages.

Three hours in, I had reduced the size of node_modules from an initial 767MB to a somewhat less horrific 401MB. How anybody justifies hundreds of megabytes of dependencies nested for an application that currently consists of about 2000 lines of code, I cannot imagine. The fact that half of the dependencies don’t do anything nontrivial just makes it worse.

Amusingly, after all of this, I still get warnings of “15 moderate severity vulnerabilities” – but if I run npm audit fix --force as it suggests, then a bunch of processing happens, after which it reports that now I have “144 vulnerabilities (4 low, 122 moderate, 16 high, 2 critical)”, in addition to nothing working anymore. Which appears to be the opposite of what auditing was for. Thankfully rolling back from that stupidity was easy.

My original plan was to convert this project to Typescript, but I have zero actual desire to spend more time with this junk today. Maybe tomorrow, or maybe I’ll figure something else out.

## Demoralizing code

To round off the day with something useful after running out of steam, I updated a few libraries, documented some stuff, and drew some diagrams. Yay.

Really, it is a little bit astounding how soul-crushing it is to work with Javascript. The importance of maintaining high morale while working cannot be overstated. If I feel bored, annoyed or sad, then I am going to be less efficient. But worse than that, I don’t have fun. And if I’m not having fun, then something is very wrong.

For most types of programming, there are ways to increase joy, such as by using better languages, writing code in smarter ways, and having good infrastructure in place. But when it comes to frontend web development, there are very few ways to not feel like shit while doing work. It’s just a horribly convoluted and bad ecosystem full of really bad code, and while I want to be generous and say nice things, I really just can’t. I will say that nominally, there is progress in the right direction via things like Typescript, but it doesn’t change the overall dumpster fire that is Javascript.

I don’t know what the actual solution is here, except perhaps if browsers were to start promoting and supporting some new language that avoids most of Javascript’s pitfalls. But I’m not going to hold my breath until that happens.

Anyway, I’ll stop complaining now. There’s more work to be done – thankfully, not on the frontend.

## Authorization tokens

Current methods for web API authentication appear to be:

• OAuth / OAuth2
• JWT (JSON Web Tokens)
• OpenID Connect
• Homerolled bearer tokens (Bad Idea™)

JWT appears to be the easiest to use, but managing it from the frontend requires some level of magic.

Here are some React-oriented resources: