Why does elapsed time mean a library is safe? This is so ridiculous. It doesn't protect you against anything. I'm sure there are 1000s of old libraries out there with hidden vulnerabilities or malicious code.

Literally nothing can mean a “library is safe.”

The idea of “safe” in terms of risk and security has misled a lot of people into this wrong idea that there’s a binary state of safe and unsafe.

It’s all about risk management. You want to reduce risk as inexpensively as possible. One of many inexpensive approaches is “don’t install dependencies that are new.” Along with “don’t install dependencies that nobody else uses.” You might also apply the rule, “don’t install dependencies that aren't shipped with the OS.” Or “don’t use dependencies that haven’t been formally proven.” Etc.

Indeed, calling it “Safe-NPM” can be misleading. As if using it achieves some binary state of safety.

Most supply chain attacks have a very limited window in which they’re exploitable. This is not a panacea, but it is a good idea.

hedging bets of zero day vs compromise (that have big chance to be found in thos e 90 days). But yeah, not a good idea

And you'll always have a professor say, "Send me the word document for review", then they will provide inline feedback and return the file back to you. In these cases the technology isn't the constraint, the existing process from the institution is.

This is very true and almost nobody sees it...

Angular is used a lot in enterprise apps/services when they need a low risk one-way to do things (e.g. Apple's App Store developer portal).

React is used in enterprise when teams need to move fast and break things (e.g. Microsoft Edge's UI after switching from Trident/Spartan/EdgeHTML to Chromium) and tend to be replaced with something else when dev teams / managers realise that they need to rebuild it anyway just to keep it maintained and/or gain more performance. (e.g. Edge "WebUI 2.0" moving their browser UI from react to web components)

Vue is used a lot in Asian enterprise markets.

"You cannot add 127.0.0.1 or localhost as a callback URL"

...watch me.

I was wondering about use cases for this, this makes so much sense now.

And what's that reason .... ?

98% of developers can't see it

I actually didn't mind COM and DCOM. I didn't overuse it, so it never bit me. I guess it's why I love using Microsoft Orleans. The virtual actor model is enough for me to solve almost every problem. If Cloudflare Durable Objects (https://developers.cloudflare.com/durable-objects) can reduce latency they might have the winning product.

On that note, do you mind helping me understand something I haven't been able to glean from Microsoft's docs? Does Orleans give you a way to globally address a thread?

With Durable Objects, two clients on either side of the world can both request a websocket connection to an object with the same unique identifier, and all the bytes from those clients will land in one single process somewhere inside a CloudFlare data centre.

I am pretty sure the answer is yes, but the docs seem a bit less direct than CloudFlare's web focused use cases.