Hacker Timesnew | past | comments | ask | show | jobs | submitlogin

Fun article, but it leaves out my favorite "almost ignore" feature in Git: `.gitattributes`.

This file lets you specify that git should "ignore" the diff from certain files. For instance, Node projects have a `package-lock.json` that is pure noise from a Git standpoint (it's just massive amounts of diff specifying specific versions of libraries, and the real human-readable version is in a separate `package.json` file).

With `.gitattributes` in the root of your project, you can just add a line:

`package-lock.json -diff`

Now, that file will still get staged/committed (which you want) ... but when you `git diff` you won't see the massive amounts of pointless diff in that file.



> that is pure noise from a Git standpoint

It shouldn't be noise. Don't update it if you're not intentionally trying to, otherwise you're exposing yourself to supply-chain risk for no reason. If you are regularly getting unexpected `package-lock.json` changes then you are doing something wrong.


It's not about unexpected changes. It's about DX in git CLI. You don't want to see massive diffs that are basically unreadable for humans, you just want to see that the file changed.


> you just want to see that the file changed

I check the diff for uv.lock (Python counterpart of package-lock.json) every time I merge a PR. It is important to know which direct or transient dependencies have been updated. We don't blindly bump all dependencies to the latest versions (you shouldn't either).


Python packages aren't quite so insane on transitive dependencies. The diff of package-lock.json can be novel length.


write your requirement.txt files via

    pipdeptree --freeze
to see this clearly


FYI the uv equivalent is

    uv pip tree


not interested, really


same - I check the changelog for every major (== minor if v0) and some minor version changes in most of my projects, including at work. I've caught quite a lot of would-have-broken-something changes, and opportunities for fixes/optimizations/etc by doing so. and sometimes they mention fixing a bug we didn't know we had, so we learned about it early before it corrupted too much data.


It's nice to have that luxury, we just don't have the manpower to devote to that. Major versions sure, otherwise it's just update and run test-suite and some smoke tests.


it helps a lot if you make an effort to keep your dependency tree relatively small


We are talking about npm here... Any framework like React, Vue, Angular, Svelte, etc. is going to pull in hundreds or thousands of packages. I just checked one of the smallest web projects I have (5 dependencies, no framework) and it has 265 packages In package-lock.json. My personal website (vite + nuxt) has 1171.


But it's not always massive, it's a good practice to see what the diff is and ensure there is no weird dependency (aka supply chain attack) showing up in there.


In my opinion you have no chance of identifying supply chain attack like this. It's not like you will see "evil-package": "*" in there. Supply chain attacks happen by appending obfuscated code deep into dependency no one knew you had in the first place.


It's a CLI. DX is not the only concern. What about scripts that expect the default git behavior?

You could argue "those scripts are dumb then! outta my way!", but then you shouldn't be using a CLI for whatever it is you're trying to do. If you insist, you can just grep or use the --stat option.

We already know the git CLI has plenty of antifeatures like this. It is up to the devs how they want to proceed, but it doesn't change the fact that hiding things is a footgun.


You can suppress the git attribute system if you need default settings. I wouldn't call it "antifeature" but customizability as git was always supposed to be used with CLI, this is just a way to make output less verbose.


If your diffs are too large to review your project structure needs change. I go by the broad statement that EVERY line should be read, understood and explainable by the developer.

For critical files like package-lock.json I'd also expect developers to explain why a library was added or a version was changed and the impact of the version change. The lack of such basic hygiene is why supply chain attacks are so common these days.


Are you saying "as a developer, you don't want to see what code you ship as transitive dependencies"?

I guess it's the norm in the software industry, but that's slightly irresponsible.


It’s too much code. Maybe companies are able to handle this, but as a solo dev it’s completely infeasible.

I could just not use those deps, but then I won’t be able to build anything interesting. The software industry has historically relied on being a high-trust society; I don’t know what will happen if that is changing.

Rewriting every dep with Fable for every project, maybe.


There is a big difference between completely YOLOing your dependencies and deeply reviewing all their code. It is a gradient, by acknowledging that you ask git to hide the file because you consider it "noise", you say that you are on the YOLO far end of the spectrum.

Every dependency adds risk, the goal is to minimise them. If you include a dependency for something that you would code in 20 lines, you should at least wonder if it's worth it or not. If that dependency pulls 5 transitive dependencies itself, probably you should go for the 20 lines.

As you say, sometimes it's impossible to track because there are so many dependencies (thanks to modern package managers that make it so easy). But at least you should see that your dependencies are completely out of control. If you ship an app where 95% of the code comes from dependencies you have never seen, you may as well have vibe-coded the app.

> The software industry has historically relied on being a high-trust society; I don’t know what will happen if that is changing.

I very much disagree with that. Most software is bad and shouldn't be trusted.


You know what’s bad DX? Your company’s product having a massive security breach, people stop using it, and having to lay off all the software engineers


DX = ? Developer experience maybe?


Yes


The point is that it should not be massive.


Tell that to the NPM folks.


It also directs Github to automatically collapse those files to the "Show Diff" interface by default. I'd still call the contents of things like lockfiles, protobuf output, big JSON blobs, etc, "noise" when reviewing PRs for code changes, but that doesnt mean I dont look at them.


I think you're missing the point there. It's like I need to commit my project files for the project to compile, they're in xml format so they're human readable. But that doesn't mean I need to see the diff because I'm not going to review them


People are jumping on it being an important file to review. You don't want to ignore the diff.

Even if that's true, you definitely do not want to attempt merge two lock files, and using the .gitattributes file to set the merge strategy is a good idea!


There are also "semantic" diff and merge tools for a variety of languages, and a few specialized for JSON. That stuff was always pretty niche, but it's becoming more popular with AI agents and not wanting to or not being able to review every merge by hand.


eg.

    config.json merge=ours


thank you for being the first in this thread to actually prescribe what strategy to use, its been infuriating reading thru but not having the same level of knowledge


package-lock.json shows all your transitive dependencies, package.json just shows your direct dependencies. It is simply not true that the latter is "the real human-readable version". They serve different purposes and it is dangerous to say you can always ignore the diff in your lock file.


To me it still sounds like a build artifact, and not source code: yes, you want to keep it and track changes to it, but freeze tools should allow one to easily get a reproducible build of package-lock.json too (eg. by passing a timestamp, it should be able to regenerate the lock file with latest-as-of-timestamp).

Maybe they do — I am not too deep in JS ecosystem — but that should be the basis of a true SBoM (generated, static artifact tied to a release build) and reproducible builds (able to regenerate byte-for-byte identical artifacts from actual source of truth which is your package.json).


as someone who deals with dep upgrades and forensics when trying to figure out a bug I would get _so mad_ if `git diff` didn't show the diffs to lock files.

I get what you're saying about it being line noise but when you need it you need it!


and in today's world of constant supply-chain attacks, you do probably _do_ need it!

We've adapted: - our CI and git hooks so that our dependency or .lock files are visible when they change, and error if they change inconsistently - and our team procedures to confine dependency updates to dedicated commits

The idea being that when you see one of those "messy" .lock file changes...you were expecting it. If you see one and are annoyed by it (like OP) that's actually a waving red flag that a dependency changed.


Better: set up a git diff driver so you see the semantic changes, not line-by-line changes.


It also leaves my favorite way of ignoring files in Git: actually just ignore them yourself and never use shortcuts that break that (like "git commit -a" or "git add .")!


You should 100% track package-lock.json, and I'll go a step further and say you should most likely track node_modules too.


If the underlying infrastructure does not provide reproducible builds, I'd suggest you should instead fix that.


Sounds like a powerful feature for subverting code review…


This is probably the most batshit insane insecure advice I've ever read on Hacker News ever. And everyone is wondering why NPM based attacks are so prevalent? Advice like this is being followed.


I think you misunderstand the functionality. It doesn't ingnore the diff completely. it just replaces the full contents with "`Binary files differ"

> Use -diff to completely hide the internal file content during a diff. Git will only report `Binary files differ` if the file changes.

Same like you would binary files. It's still good advice to actually review the lockfile changes at some point.

You can also apparently write transformers to make it more human readable.


It’s fine imo, you’ll still see the diffs in PRs before merging, but majority of the time it’s just noise when developing locally. LLM agents also use git diffs frequently, why spend 10x the tokens analyzing package lock diffs instead of actual business logic changes.


Explain the attack that gets mitigated by reading the diff of a lockfile?

Every major npm attack I can think of essentially follows the pattern of "version X.Y.Z is secretly evil". How does seeing package@X.Y.Z in your lockfile alert you to that?




Consider applying for YC's Fall 2026 batch! Applications are open till July 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: