Записи о веб-разработке, рекомендованные Артемием Трегубенко

Guided Meditation for Developers

2026-03-15T20:55:43Z

Find a comfortable position. Close your laptop halfway, so the screen light softens but the fan noise continues.¹ That hum is your anchor. You will return to it throughout this practice.

Take a deep breath in. Hold it. Now run npm install. Breathe out slowly as 1,247 packages are added. Do not look at the output. You are not ready.

Body scan

We will begin with a body scan. Bring your attention to the top of your head. Notice any tension you are holding there. This is where you store your awareness of packages that have not been updated in three years but still work. Let it soften. Those packages do not need you right now. They are dormant, the way a perennial is dormant. The roots are still in the ground. There is nothing for you to do until spring, and spring may never come, and that is also part of the garden.

Move your attention to your forehead. This is where you hold the memory of every major version bump that removed the one function you actually used. The migration guide was six pages long and the first step was “update your mental model.” Breathe into that space. Release it. You have already updated your mental model. You updated it when you pinned to the previous version and moved on.

Now bring awareness to your jaw. You are clenching it. You have been clenching it since the last time you saw ERESOLVE unable to resolve dependency tree. Unclench. The tree will not resolve faster because your jaw is tight. The tree may not resolve at all. That is also acceptable. We are practising acceptance today.

Feel your shoulders. They have been raised since you read the GitHub issue titled “Is this project still maintained?” posted fourteen months ago with no response. Lower them. The maintainer may be on a goat farm in Portugal. The maintainer may be the goat. You cannot control this. Release your shoulders and release the maintainer.

Your hands are hovering over the keyboard. Notice which keys your fingers are drawn to. If they are drawn to the up arrow and enter, you are about to re-run a command that has already failed. This is not mindfulness. This is while true. Gently place your hands in your lap.

Breathing exercise

We will now practise a breathing technique calibrated to the dependency lifecycle.

Breathe in for four seconds. This represents the planting season, when the package is new and everything works and the README has a row of green badges and the soil is warm.

Hold for seven seconds. This represents the long growing season, when issues accumulate faster than they are closed and the CI badge turns grey because the service it was hosted on has itself been abandoned. The plant is alive but nobody is watering it. Weeds are moving in. You can see them in the issue tracker.

Breathe out for eight seconds. This represents the harvest and rot, when a blog post titled “Why We Moved Away From X” appears on Hacker News and the comment thread is 400 messages long and the top comment is “I said this would happen two years ago” with no link to the original prediction.

Repeat this cycle. In for four. Hold for seven. Out for eight. If you lose count, that is fine. Counting is implemented differently across locales and your breathing may be lexicographically sorted.

Visualisation

Close your eyes. You are standing in a garden. This is your project. You planted some of what grows here, chose it carefully, read the labels, checked the light requirements. But most of what you see was not planted by you. It arrived as seeds carried inside other plants, hidden in the root ball of a package you selected for its flowers without thinking about what it would bring with it. This is transitive dependency. Every garden has it. You are not a bad gardener. You are a gardener.

Walk deeper into the garden, past the border plants you recognise and tend. Past the mid-layer shrubs whose names you have seen in your lockfile but never looked up. Keep walking until you reach the back fence, where the growth is dense and tangled and the packages are maintained by a single person in a different timezone whose GitHub profile picture is a sunset from 2016.

Look down. The soil here smells faintly of sulfur. This is normal. The sulfur is coming from a transitive dependency six levels deep that pulls in a native binding to a C library that was last updated during the Obama administration. The binding works. Nobody knows why. Its roots have grown into your foundation in ways that would be unwise to investigate. Sit with this. Breathe. Every garden has something growing behind the shed that you have decided not to identify.

Now, from this place of stillness, I want you to visualise a yellow advisory banner. It says 3 moderate severity vulnerabilities. Do not open your eyes. Do not run npm audit fix. The fix will update a package that will break a peer dependency that will cascade through your lockfile like pulling a weed whose roots have wrapped around everything else in the bed. You know this because you have done it before. Instead, observe the advisory. Let it be. Moderate severity means someone could theoretically exploit a ReDoS in a markdown parser if they controlled the input and had four hours and very specific motivations. This is not your concern today.

Mantra

Repeat after me, silently, in the voice of your internal monologue:

I accept the packages I cannot update.

I accept the breaking changes I cannot predict.

I accept that node_modules is larger than my application and always will be. The undergrowth is always larger than the tree.

I accept that the package I depend on depends on a package that depends on a package whose maintainer closed all issues with the message “I am mass-closing issues. If your issue is still relevant, please re-open it,” and then transferred the repository to an organisation with no other public repositories.

Breathe.

I accept that --legacy-peer-deps is not a solution. It is a coping mechanism. I am at peace with my coping mechanisms.

I accept that somewhere in my lockfile there are two versions of the same package and they are both wrong. Two plants with the same name that fruit differently. I will not dig them up today.

Letting go

You carry your dependency tree with you when you leave your desk. You carry it into the shower, where you think about whether that package you added last week is still maintained. You carry it to bed, where you wonder if the lockfile you committed on Friday will still resolve on Monday. You carry it to dinner with friends, where you do not mention it, but it is there, a background process consuming resources, never quite idle.

Notice this. You are anxious about code that is not running. You are worried about packages that are sitting in a registry, unchanged, doing nothing. The vulnerability you read about on Tuesday has not been exploited. The deprecation warning you saw has no deadline. The package whose maintainer went quiet is still working, today, right now, exactly as it was when you chose it. Nothing has happened. You are holding tension for things that have not happened yet and may never happen.

Put the garden down. You are not in the garden right now. The garden does not need you at midnight. The weeds will not grow faster because you are thinking about them. The frost will not come sooner because you are watching the forecast. Your dependency tree is a text file on a server and it will be the same text file tomorrow morning.

Breathe in. You are not on call for your lockfile.

Breathe out. The packages can wait. They have always been waiting. That is all they do.

Guided acceptance: the six dependency griefs

Version conflict. Two packages in your tree require different major versions of a third package. You cannot have both. You cannot have neither. You can have one if you alias the other, which means your application will ship two copies and they will not share state and something will break at runtime in a way that no type checker or linter will catch. Observe this situation. Do not try to fix it. It was not introduced by a person. It was introduced by time. Time moved the versions apart the way two branches of the same tree grow in different directions, slowly and without malice, until they are reaching for different light entirely and you are the trunk expected to feed them both.

Abandonment. A package you depend on has stopped growing. The last commit was a Dependabot PR that was never merged. The README still says “PRs welcome!” in a way that now reads as historical document rather than invitation. You could fork it. You could tend the fork. You could become the person whose GitHub profile picture is a sunset, who mass-closes issues, who gets emails from strangers asking why the leaves are brown. Sit with this. The package gave you what it could for as long as it could. Send it gratitude. Let it decompose. The nutrients will feed the next thing that grows in that spot.

The phantom dependency. Your application works in development but fails in CI because you are relying on a package that you never declared as a dependency. It is installed because another package depends on it, and your package manager hoists it to a location where your code can reach it, and you imported it eighteen months ago without realising it wasn’t yours to import. You have been eating fruit from your neighbour’s tree, the branch that overhangs your side of the fence, and now your neighbour has cut the branch. The phantom dependency is a lesson in impermanence. Acknowledge it. Plant your own. Or don’t. Either way you are choosing a form of suffering, and choosing is itself a practice.

The security advisory that does not apply. You have received a security advisory for a vulnerability in a package you use. The vulnerability is in a function you do not call, in a code path you do not exercise, in a scenario that requires an attacker to control a YAML parser’s input while running as root on a machine that accepts unsigned certificates over an unauthenticated HTTP endpoint. The advisory is marked Critical. Your security dashboard is red. Your compliance team has opened a ticket. The fix requires upgrading to a version that drops support for the Node.js version you are running in production. Breathe in. This is suffering caused by metrics. A garden inspector has told you that one of your plants is on a list of invasive species in a country you do not live in. The metric says you are insecure. You are not insecure. You are measured.

The merge conflict in the lockfile. Two branches have grown toward the same light and met in the middle. You and a colleague both updated dependencies, and now the lockfile has 4,000 lines of conflict markers. You will not read them. Nobody reads them. The lockfile is not meant to be read by humans, which is why git insists on showing it to you in a format designed for humans to resolve. This is a tangled vine that cannot be unknotted, only severed and replanted. Run git checkout HEAD -- package-lock.json and then npm install and let the tree grow back from your side. Your colleague’s changes will need to be re-resolved. This feels wasteful. It is wasteful. Gardening is mostly waste. Seeds that don’t germinate, cuttings that don’t take, entire seasons of growth pulled up because something else needed the space. Release the guilt. Delete the conflict. Begin again.

The everything update. It has been eight months since you last tended your dependencies. You have been meaning to. The longer you wait the harder it gets, and the harder it gets the longer you wait, and this recursion has no base case. Today you run npm outdated and the output is longer than your application. Thirty-seven packages have new major versions. The changelogs reference other changelogs. The migration guides assume you completed the previous migration guide. You are four migrations behind. This is the garden you left over winter. The gate is stuck. The paths are overgrown. Something has built a nest in the trellis. Observe the fear. Name it. It is called “I am going to spend three days on this and my application will behave exactly the same when I am done.” That is correct. It will behave exactly the same. That is the practice. Maintenance is a meditation on impermanence disguised as wasted effort. The garden does not look different after you weed it. But you were there. Your hands were in the soil. That is enough.

Closing

Bring your awareness back to your breath. Back to the hum of your laptop fan. Notice that it is louder now. Something in your node_modules has triggered a post-install script that is compiling a native module. Or mining something. You cannot know which from the sound alone, and knowing would not change the sound. Listen to the gentle sound of endless blocks being chained together. Let it run. You agreed to this when you ran npm install. You agree to it every time. Whatever is happening in that process is happening now, and it will finish when it finishes, and what will be will be.

When you are ready, open your eyes. Open your laptop fully. Look at your terminal. If there are warnings, let them scroll past. They have always been scrolling past. You have always been here, in this garden, between npm install and the next breaking change, tending what you can and accepting what you cannot.

Go gently. The growing season is long and the soil does not care about your deadlines.

This meditation was tested on Node.js 18, 20, and 22. Results may vary on earlier versions due to a breaking change in the --harmony-weakrefs flag that affects garbage collection of abandoned inner peace. If you experience dizziness, ensure your lockfile is committed and try again after clearing your module cache.

If you have a fanless Mac, this website will provide a suitable imitation. Match the volume to whatever feels grounding. ↩

TinyBase 8.0: A Reactive Data Store for Local-First Apps

2026-03-11T22:47:34Z

— A reactive data store and sync engine that can be used as the entire backend for many types of app. It can stand alone or integrate with all sorts of things like cloud storage, client-side stores, SQL databases, etc. v8.0 adds a middleware feature and the ability to store objects and arrays in its ‘cells’.

Unbarrelify: Barrel File Removal Tool for JavaScript

2026-03-05T18:01:39Z

— From the creators of Knip, a barrel file removal tool for JS/TS projects (ESM-only).

Making WebAssembly a First-Class Citizen on the Web

2026-03-03T20:51:35Z

— WASM has come a long way but remains tricky to work with on the Web, with even performing a console.log requiring a lot of glue code. Ryan makes the case that the WebAssembly Component Model could change this by letting modules bind directly to browser APIs, load directly from script tags, and more.

The Power of ‘No’ in Internet Standards

2026-02-13T19:18:58Z

by Mark Nottingham, who’s being Doing Standards for so long he used to travel to work by stegosaurus

Building Bulletproof React Components

2026-02-13T19:10:56Z

— Ten production-tested patterns to ensure your components survive the gauntlet of portals, transitions, hydration, being used server-side, and other modern React features. An elegant, no-nonsense guide from the co-creator of SWR and creator of Vercel’s React Best Practices skill.

npmx: A New npm Registry Package Browser

2026-02-10T21:45:08Z

— A smooth, fast way to browse packages on the official npm registry. It’s certainly fast, smooth, and you see more info up front and center - check out the axios page for example. “We’re not replacing the npm registry, but instead providing an elevated developer experience through a fast, modern UI.”

SVG Cickjacking

2025-12-13T21:26:21Z

– “Clickjacking is a classic attack that consists of covering up an iframe of some other website in an attempt to trick the user into unintentionally interacting with it. It works great if you need to trick someone into pressing a button or two, but for anything more complicated it’s kind of unrealistic. I’ve discovered a new technique that turns classic clickjacking on its head and enables the creation of complex interactive clickjacking attacks, as well as multiple forms of data exfiltration.”

So Long and Thanks for All the Applets

2025-12-13T13:25:40Z

– So farewell, Java Applets: “The entire java.applet package has been removed from JDK 26, which will release in March 2026.”

No-op functions vs. optional chaining in JavaScript: performance deep dive

2025-11-08T21:08:42Z

The present and potential future of progressive image rendering

2025-10-31T20:02:26Z

– Jank Architect compares JPEG XL and AVIF. TL;DR: AVIF is better.

I Built the Same App 10 Times: Evaluating Frameworks for Mobile Performance

2025-10-31T19:37:29Z

— When targeting mobile devices, small bundle sizes and quick rendering times are key, so Loren wanted to see how different approaches compared. Marko, SolidStart, SvelteKit, Qwik, Nuxt, Next.js and more are all under the spotlight here.

Awesome npm Security Best Practices

2025-10-07T18:34:57Z

— Web security expert Liran Tal has put together a handy set of best practices to consider when working with the npm ecosystem, whether or not you’re using the canonical npm tool. Plenty of good advice here.

NPM Security Best Practices

2025-10-01T20:45:14Z

— An extensive list of best practices, techniques, and ideas to consider for making your use of the npm packaging ecosystem and its tooling more secure.

Cap'n Web: A New RPC System for Browsers and Web Servers

2025-09-29T12:45:30Z

— A ‘spiritual sibling’ to Cap’n Proto, an RPC protocol created by one of the same authors. However, Cap’n Web’s underlying serialization is human-readable, focused on integrating well with JS runtimes, and works over HTTP, WebSocket, and postMessage() out-of-the-box.

'React Won by Default – And It's Killing Frontend Innovation'

2025-09-17T18:09:58Z

— An opinionated React thought-piece that’s provoked much discussion this week by poking at the downsides and inertia caused by ‘the React-by-default mindset.’ And we thought people said React was moving too quickly..? 😅

The ‘Accessibility’ link is a Lie: My Adventures in Weaponizing Corporate Virtue Signaling

2025-08-08T23:33:52Z

It’s time for modern CSS to kill the SPA

2025-08-08T23:12:11Z

– An SEO consultant writes “Use modern server rendering. Use actual pages. Animate with CSS. Preload with intent. Ship less JavaScript. Build like it’s 2025 – not like you’re trapped in a 2018 demo of Gatsby. You’ll end up with faster sites, happier users, and fewer regrets.”

The Many, Many, Many JavaScript Runtimes of the Last Decade

2025-07-30T12:15:50Z

— A meaty article (which took a year to put together) covering the myriad of JavaScript runtimes and engines both past and present, from obvious picks like Node.js to cloud platforms and lesser known ‘honorable mentions’. This is a great summary to round out your JS ecosystem knowledge.

WebAssembly: Yes, But for What?

2025-07-18T23:06:13Z

— Writing for ACM Queue, one of the contributors to multiple JavaScript and WebAssembly (WASM) implementations shares a good roundup of where WebAssembly is being used, both in the browser and server-side, and how it’s gradually finding its way into seemingly everything.