Today's compromised npm package: https://github.com/dominictarr/event-stream/issues/116 only had the malicious code in the minified version.
We don't always think of JS as a compiled language, but reproducible/verifiable compilation would have helped here.
Related Posts
One nice feature of cargo that I wasn't previously aware of: you don't need to do anything after updating your Cargo.toml.
In npm, you need to remember to `npm i` after changing package.json. It's not declarative and the state can get out of sync.
Coming from JS or Python, imports in Rust feel weird. They're entirely optional aliases for fully qualified symbols, which are always available.
I don't know of many other languages where you can just start using libraries. Java is the only one I can think of.
It's a small thing, but I'm much happier with the output of --version in the latest version of difftastic.
It shows the release version number, the commit hash, and the commit date. This gives you a sense of the age of release, but you still have a reproducible build (unlike build time).
It also shows OS, arch and compiler, because those are common requirements in bug reports.