YAML whitespace is cursed
YAML is cursed and shouldn't exist. I will die on that hill, with either 4 whitespaces or a tab to back me up.
this post was submitted on 18 Jul 2025
133 points (97.8% liked)
Programming
21650 readers
218 users here now
Welcome to the main community in programming.dev! Feel free to post anything relating to programming here!
Cross posting is strongly encouraged in the instance. If you feel your post or another person's post makes sense in another community cross post into it.
Hope you enjoy the instance!
Rules
Rules
- Follow the programming.dev instance rules
- Keep content related to programming in some way
- If you're posting long videos try to add in some form of tldr for those who don't want to watch videos
Wormhole
Follow the wormhole through a path of communities !webdev@programming.dev
founded 2 years ago
MODERATORS
I'm with you on the white space thing. Spaces, especially multiples of spaces, should not have a programming function.
Some web features like the clipboard API only work in "secure contexts" (ie. https or localhost)
I think that's reasonable behavior
I don't. You can't even copy to the clipboard in an insecure context.
Except... You can! You just have to use the old deprecated and ridiculously awkward execCommand method.
If that's so insecure why do all browser's still support it?
The bcrypt implementation only uses the first 72 bytes of a string. Any characters after that are ignored.
what
This is how someone cracked Okta a few years back: https://medium.com/@rajat29gupta/bcrypt-and-the-okta-incident-what-developers-need-to-know-9d13a446738a
Older Unix systems used to only do the first 8 bytes for passwords. Sometimes for my own amusement when logging into one of the Sun machines at school, I'd type in enough of my password to count and then just mash the keyboard.
for a long time, hotmail (and i think windows live mail) only checked the first 16 characters.
That's almost as good as the ones that limit password on the sign-in UI, but not on the sign-up
I have run across one that allowed arbitrary length when doing account creation and password reset but silently truncated the login input.
Took me hours to figure out that my password was longer than the documented length, try it and then have no problems.
Some phones will silently strip GPS data from images when apps without location permission try to access them.
This is quite reasonable.
Wtf?
Opening a file with a program that doesn't support part of the file will delete that part
There is nothing even remotely reasonable with that.
It is not. App X creates image A with location data.
App Y without location permission accesses image A in read mode. Now image A has no location.
You open image A again from app X and the location is no longer there. It makes no sense. Had app Y written to image A, it makes sense that location data was stripped. But opening a file in read mode should not alter it. Except for metadata of the kind "last opened at ...".
In modern android you do not open files, you use an OS service to get an image, which may or may not come from a file on the device. If you want to open files you need a different permission.
You could argue that android should have a permission level for apps that need image geolocation but not GPS.
One could argue they a reading service should not alter the thing that's read. Android is not a quantum state!
Yes but do they present a stripped copy or strip it from the original?
load more comments
(6 replies)
JavaScript Date objects are cursed
JavaScript date objects are 1 indexed for years and days, but 0 indexed for months.
Oh that's not nearly the only thing javascript fucks up about their Date() implementation. https://jsdate.wtf/
I ... this seems like a std library made to troll you. Is there a (good) reason it is like that?
Backward compatibility and not seeing the future. Some decisions are taken at one point in time, then a new use case show up, then a new paradigm evolve, then… etc etc.
It's really the same thing that holds back a lot of languages and libraries. And even when replacement shows up, old habits from devs and old projects maintenance keep all these things well alive too.
"I want predictable behavior for all possible inputs" is hardly a requirement that requires a fortune teller to see coming.
JavaScript has a particularly insane stdlib because this language wasn't designed, it is a botched chimera with deformities so severe it should have died 15 times over but people just won't let it.
Then to rub salt in the wound this horrific mess became the most popular language in the world by virtue of being the only language for the most popular application ecosystem in the world (the web). So the cancer is spreading and now you can find JavaScript in servers and fucking desktop environments and now your windows start menu takes five seconds to load because fucking react.js is loading the 75 polyfills necessary to make up for the fact that JS's "standard" library looks like it was designed by 3 cocained-up gibbons.
early js/html liked to do something in all cases instead of throwing or whatever. I think it's mostly just a collection of them trying to do something smart on nonsense input and not being consistent about it.
side note, I'm so excited for Temporal, some browsers already support it and you can polyfill for the rest.
No.
I can only imagine it wasn't planned properly, cuz that's so many quiet behaviours without good parsing errors
Postgres is cursed for only allowing 65535 parameters in a single query?
Someone correct me if I am wrong, but that is a fairly large number (I think Microsoft SQL is limited to 2000 or something like that) AND this seems like a terrible design pattern.
I learned this one the hard way when trying to query GeoJson data, and trying to get specific, constrained, data about specific features within an area. Excluding features the user doesn't have access to.
Sometimes this got up to 65k features.
I definitely could see geojson getting that large.
goes looking for the issue
PostgresSQL has a limit of 65,535 parameters, so bulk inserts can fail with large datasets.
Hmm. I would believe that there are efficiency gains from doing one large insert rather than many small
like, there are probably optimizations one can take advantage of in rebuilding indexes
and it'd be nice for database users to have a way to leverage that.
On the other hand, I can also believe that DBMSes might hold locks while running a query, and permitting unbounded (or very large) size and complexity queries might create problems for concurrent users, as a lock might be held for a long time.
EDIT: Hmm. Lock granularity probably isn't the issue:
https://stackoverflow.com/questions/758945/whats-the-fastest-way-to-do-a-bulk-insert-into-postgres
One way to speed things up is to explicitly perform multiple inserts or copy's within a transaction (say 1000). Postgres's default behavior is to commit after each statement, so by batching the commits, you can avoid some overhead. As the guide in Daniel's answer says, you may have to disable autocommit for this to work. Also note the comment at the bottom that suggests increasing the size of the wal_buffers to 16 MB may also help.
is worth mentioning that the limit for how many inserts/copies you can add to the same transaction is likely much higher than anything you'll attempt. You could add millions and millions of rows within the same transaction and not run into problems.
Any lock granularity issues would also apply to transactions.
Might be concerns about how the query-processing code scales.
I learned that not too long ago, too.
I mean it surprised me, but there are many ways around that. May be less efficient, but you can always use string-to-array, or json, or copy more for CTE then work with inputs as a table.
Create a user defined table type and use that as a parameter. I'm not sure what the postgres name of that is.
And how do you put data into the table?
Based on old memories since I've been working in mongo lately, after making the UDT on the db side, you make a data table that has the same name, namespace (ie dbo/public), and the same schema as the UDT (better if that could be generated) and populate it in code. Then you execute the db query with the UDT type as a parameter.
This is better for a few reasons, including not building up a string, but also having the same text means that each query didn't need to be re-parsed and can reuse execution plans. If the query text isn't an exact match, it gets that whole pipeline each time.
I’d say running up against a 16bit number for a database import in 2025 is a little cursed. MS is special, still has a 260 path character limit (albiet soft now) in Windows.
Also with more phones taking an image and a video that is only 32767 snaps, which is probably a regular headache for initial imports.
Git's autocrlf feature causes more issues than it solves in my experience. I don't think there are really any tools on Windows that can't handle Unix line endings any more. Even notepad can now.
I recommend you set it to input which will fix them to be Unix line endings on commit, and not change them back on checkout.
view more: next ›