Three tips for becoming a package management wizard

If you’ve worked anywhere in the JavaScript ecosystem before you’re probably aware of just how crazy things can get once you start to pull in even just a small number of npm packages.

1) Always (yes, always) pin specific version of your dependencies. Every day there will be packages in your stack getting updated and unless you want to spend all your time fixing bugs in dependencies you probably don’t want to be the first person to start running the new version.

2) Sometimes your dependencies will have unpinned dependencies! This can wreck your day just as quickly as point 1. You need to check your git logs and review changes in your package/yarn.lock file to see when your package stack changes. You can directly pin a good version of a dependencies dependency and keep everything working.

3) If you’re stuck then patch your broken dependencies using patch-package. It allows you to apply a patch to a dependency as it’s getting installed and makes managing which patches you’re applying to your stack wonderfully easy!

Why the Facebook and Google SDKs are in all your apps

Incase you missed it there’s been a media storm this week around the Zoom video conferencing app and small data transmissions to Facebook on launch.

Why do so many apps include these SDKs?

Quite simply, if they company needs to grow by doing advertising on Facebook of on any of Google’s add properties, the need to include the SDKs for those platforms or their ads will be limited or simply not run by these advertising platforms. Yahoo ads work the same way.

It’s pretty hard to make a case that any business trying to attract new customer can just avoid these advertising giants. They really do work and are (despite rising costs) really effective advertising channels.

I’m going to skip over the arguments around “Login with” requiring SDKs. Most authentication platforms I’ve seen provide paths to do authentication without including those SDKs, making it possible for the app developer to work around them.

What can they do about it?

Not much actually. If the businesses survival depends on attracting new customers they’re at the mercy of the requirements of the advertising/authentication platform.

Who’s really responsible?

Facebook, Google, and all the other advertising platforms that refuse to run ads without deep hooks into applications and websites.

Can the advertising platforms actually fix it?

I don’t think it would be simple for them to fix it either. One of the great upsides of embedding your SDKs into ad targets is that you can do really advanced click-fraud detection.

It’s a systemic problem

Running advertising platforms at scales larger than what humans can effectively monitor lead us down this path. In order to have these platforms operate effectively and try to minimise fraud they really do need an immense amount of data feedback.

You could make the argument that the world would be a better place without these advertising giants, but that doesn’t really help us today. We’re well beyond the point where they could or would just pivot to doing business some other way.

What can we fix?

1. Facebook, Google, and the other advertising platforms should provide (up-front) messaging for companies to include in their terms of service to explain what’s happening and why. It’s not possible today for an app developer who’s including their SDKs to write this themselves, we just don’t understand enough about what they are/might be doing with the information. They should also tailor this text to an apps specific settings to make them more accurate and less scary if the app is doing everything it can to turn non-critical parts of the SDKs off.

2. App developers should roll out a specific section in their terms and conditions that includes the snip-its from third party solutions to increase the transparency of what’s actually going on.

3. Unfortunately we all have to start being more comfortable with some amount of data transfer between entities. Hopefully over time we get better at minimsing the transfer, but it’s not going to be possible to operate in the advertising world promoting your product if you’re trying to get to zero data transfer.

As little as possible, but no less

Process, if written down, can be a massive accelerator to your team. Check your process into GitHub and welcome pull requests using the same rules you’d apply to software development: new changes should make things simpler, faster, and measurably better!

Create a process that helps you go faster, that everyone on the team knows, and add a referee (or review) to make sure your team is playing the same game!

Which way is up?

Ever tried to get a bunch of kids to hold hands and run in the same direction? That’s what writing software as a part of a team feels like but the directions are _way_ more complicated.

Keep it simple. Make the order of the steps, and which direction each step is in, very clear.

The Netflix slip

I have a hypothesis about why Netflix notched it’s first backslide in the US this week.

Their interface is terrible. What use case is this designed for? Back to basics, here’s what I think they need to be looking at:

  1. I’m in the middle of watching a series. Show me more!
  2. I’m finished, find me something new to watch!
  3. It’s a Saturday night, what are the latest hit movies?

Right now the main screen is a giant scrolling in all directions grid that presents far too many options.

Every time we sit down and open Netflix we spend the first 30 minutes trying to find something to watch. I cannot believe that a renowned data driven company isn’t seeing this as a major issue.

This is the critical inflection point for the company. They’re drowning in their own race to more content and the algorithms don’t know how to define better content.


It’s Monday morning at last.

You’ve survived another weekend of fighting tech fires.

Important note: tech fires only ever emerge on Friday nights.

Your wife and kids were a bit cranky with you at first but by the end of the weekend you had found a way to make it feel like you were present, and not all consumed by technology.

Truthfully you’ve barely stopped thinking about the challenge you half solved on Friday.

More coffee. Headphones on. Time to go.

Zip zip!

The apology Zoom should have made

AFTER INITIALLY SAYING that it wouldn’t issue a full fix for a vulnerability disclosed on Monday, the video conferencing service Zoom has changed course. The company now tells WIRED that it will push a patch on Tuesday to alter Zoom’s functionality and eliminate the bug. You should update Zoom now.

The Zoom controversy stems from the service’s slippery video streaming settings that launch instantly on Macs when users join a call. Late Monday evening, the company published an extensive statement defending the practice and addressing other bugs found by security researcher Jonathan Leitschuh. But it declined to fully address the concern that an attacker could distribute a malicious Zoom call URL, trick users into clicking it, and then open a channel to their lives when their webcam automatically activated. Zoom originally said that it would adjust the settings by which a user chooses to launch video by default with every call.


What the CEO should have said:

Over the last few years we’ve been trying a ton of stuff here at Zoom, and one of those things was running a paired down web server on your machine to help us in three areas:

1) To stream line the process of connecting to calls. A major point of friction starting conferences on the internet has been getting the call software installed and connected to the right meeting. Our mission is to solve this problem and so we’ve tried many out of the box ideas to see if we can make it simple and easy.

2) To make our product more sticky. We added the ability to automatically re-install the zoom client and connect you to a call if you had removed it, helping us get those great reviews talking about how Zoom feels like magic to use and is so much easier than other conferencing solutions.

3) Our enterprise customers have a ton of requirements for getting Zoom running and making it easier for their staff to use. If it looks like we’re doing odd things there’s probably a huge enterprise deal or use case that the weird thing helps with.

We realise we’re way over the line with this solution. We’re sorry. While it may be appropriate from some enterprise customers we never should have rolled it out to all of you. We’re going to fix it.

— Zoom CEO

What the CEO did say:

To Our Valued Customers:

Earlier this week, a security researcher published a blog highlighting concerns with aspects of the Zoom platform. In engaging this researcher over the past 90 days, we misjudged the situation and did not respond quickly enough — and that’s on us.  We take full ownership and we’ve learned a great deal. What I can tell you is that we take user security incredibly seriously and we are wholeheartedly committed to doing right by our users.

We are making a number of changes to ensure that we do better. Here is what we’ve already done and plan to do:

Tuesday, July 9

Zoom issued an update to our Mac app with the following:

Removed the local web server via a prompted update 

Allowed users to manually uninstall Zoom. This new option to the Zoom menu bar allowed users to manually uninstall the Zoom client, including the local web server. A new menu option says, “Uninstall Zoom.” By clicking that button, Zoom’s app and web server are removed from the user’s device along with the user’s saved settings

Wednesday, July 10

Apple issued an update to ensure that the Zoom web server is removed from all Macs, even if the user did not update their Zoom app or deleted it before we issued our July 9 patch. Zoom worked with Apple to test this update, which requires no user interaction. 

Weekend of July 13

We have a planned release for the weekend of July 13 that will address video on by default. With this release, first-time users who select “Always turn off my video” will automatically have their video preference saved. The selection will automatically be applied to the user’s Zoom client settings and their video will be OFF by default for all future meetings. (Returning users can update their video preferences and make video OFF by default at any time through the Zoom client settings.)


Improving bug bounty program: Zoom will go live with its public vulnerability disclosure program in the next few weeks, supplementing our existing private bug bounty program. In the meantime, we encourage anyone with security concerns to reach out at 

Our current escalation process clearly wasn’t good enough in this instance. We have taken steps to improve our process for receiving, escalating, and closing the loop on all future security-related concerns

Zoom is a platform built around and for our customers and maintaining your trust is paramount. We hope through these ongoing efforts we will regain and rebuild any lost confidence, and build a stronger service for our customers. 

Eric S. Yuan

Zoom Founder and CEO

Zoom Blog

Did he make any attempt to explain why they were doing what they did? Or why it was bad? No. Enjoy the down hill slide Eric.

Zip zip!