Looking a little bit into the future of browser apps which will no longer use
pre-compiled code using e.g. #webpack, but fetch dependencies using #esm
(ECMAScript module): we need to shift testing environments to actually use
browsers (albeit headless) as the test runner.
3 replies
Replying to @coderbyheart
In addition dependencies can be pinned (e.g. using @pikapkg's
https://www.skypack.dev/) but this means dependency and security monitoring
tools like @snyksec face entirely new challenges,
they need to discover dependencies now directly from source files.
Replying to @coderbyheart
And what about our beloved package-lock.json? It guarantees that all
dependencies and sub-dependencies are installed with a specific version, which
ensures that everyone building and executing the code gets a specific state (see
@ReproBuilds). #ESM only pins the top-level.
Replying to @coderbyheart
It's a classical IT development: progress on one axis (improves developer UX,
decreases JS payload size and time to interaction on user side) but at the same
time creates new challenges (or resurfaces old).