A community of more than 1,600,000 database professionals and growing

Npm is the default package manager for the Node.js runtime. Most of us have heard of of Javascript, which is used extensively in writing applications. When developers write code using this framework, they often include code from other packages and developers, just referring to the functions they need. This allows applications to build on the work of others, without having to re-implement functionality that is commonly used.

Many languages have libraries that are available for use, but most require that a developer download them, include them in their software and then publish the resulting software. In many node.js applications, the developer does some of this, but when they publish the application, the users pull down the versions of the packages that they need at that time. This allows developers to avoid including a lot of code in their applications, reducing file sizes, bandwidth, etc.

Recently an issue arose with a popular package that is included in many applications. I first noticed this on Twitter, then saw it called out in a Visual Studio User Group meeting and then even more online. A programmer made some helpful changes to the package and was given rights to make more by the maintainer. This user when altered the package to include some malware that would attempt to steal bitcoins from users that ran an application using the package.

This is much different than how our T-SQL code is structured, with all the code contained inside the database. There are some exceptions, but for the most part we can look at all the code that will be executed as a part of our batch. That doesn't mean that we aren't responsible for reviewing and checking out code.

This might not be easy in the Javascript world, but it should be easy(ier) for us. I know the warnings about testing code exist, but I'm always somewhat surprised when users ask questions on the SQLServerCentral forums, and then can't understand why simple code (select count(total) from mytable) doesn't work on their system because they don't have a mytable. That causes me to think that too few people actually look at code before they run it. If they don't check a 10-30 line set of code, do they ever check something as complex as Ola's script? Likely not.

Part of our duty as professionals is to be careful with code that we get from others, run it in a sandbox, test it, make sure this is code that will work well for us. Not many of us can download code from the web and have it run on our SQL Server without modification, but if we're asking questions on a forum, we might just do that. If the problem is complex and the code is large, we might not pay enough attention. As SQL Server expands to get code in R, Python, Java, and more, we may need to be more diligent in scanning code to look for problems such as data leakage.

Can you imagine getting some Python code from the web that should break strings apart into works and find out that somewhere in the complex class structures this code also sends a copy of your data to some malicious website? I can, and it's why I'd be very careful vetting code on the data platform.

Join the debate, and respond to today's editorial on the forums

The cost threshold for parallelism is the cost at which a single serial plan will be considered for parallelism. "Serial" means "single threaded" or "not parallel" in this case, not that it's a murderous psychopath query.

Let's say you have cost threshold for parallelism set at 50. You might see a parallel query with a cost of 45. That isn't breaking the rules - it means that running the query with a serial plan costed out higher than 50.

Ref: Configure the cost threshold for parallelism Server Configuration Option - click here

» Discuss this question and answer on the forums