[yid]

> It's not usually core, it's all the plugins by authors of unknown provenance and skill.

This is otherwise known as an active developer community and is a good thing. In any open library ecosystem, it's ultimately up to the developer to carefully choose and vet third-party modules. There isn't any substitute for that.

The alternative is a tightly controlled standard library, but that isn't npm's stated goal. Such a controlled, curated, audited standard library is, however, something that could be built on top of npm, but obviously not vice versa.

So npm being a circus is, in the grander scheme of things, a good thing. Novice programmers will necessarily produce novice code.

edit: if it wasn't clear, I completely agree about the security risks of this project.

[micaksica]

> The alternative is a tightly controlled standard library, but that isn't npm's stated goal.

What npm says it is doing on paper and in its charter is not necessarily what npm gets used for. At this point in the ecosystem's maturity, npm developers are doing their users a massive disservice and opening them up to a lot of risk. Maintaining this line of a vibrant active community, and "developers should be responsible for their own security", rings hollow.

As I see it, npm appears to be acting like there are a lot of unsolved problems in this realm, and in doing so are endangering a developer community that is absolutely full of amateurs.

I would argue that JavaScript is the most accessible language of the current era, and Node.js is being pushed by a lot of third parties as the new easy way into programming. These new guys don't know security and want to contribute to the community, and the npm gatekeepers seem to be doing little to stop naïveté from causing virus-like consequences in their dependency chains. When I was a teenager writing code I had no idea what security issues I needed to patch against. I wasn't educated on it and didn't care. I just wanted to make cool stuff. The problem with npm is that the cost of entry of your "cool stuff" into the hands of a thousand trusting others is too low; there is no delineation between what is authoritative and what isn't.

Debian solved this problem years ago. Restrict npm defaults to vetted packages, and have people add repositories as need be (e.g. multiverse, Ubuntu PPA, etc.) for packages that aren't audited or by trusted parties.

The Node user experience often ignores most security issues for ease of use; this is OK when you are guarding people against the most likely mistakes. This is a problem of setting insecure defaults and expecting the Internet to play nice. The user experience, the marketing message, and the community at large defends its openness to the death. I'm all for openness, but at some point senior developers should be attempting to shepherd their new developers into making secure decisions, and thinking in a way that is somewhat security minded.

[yid]

> As I see it, npm appears to be acting like there are a lot of unsolved problems in this realm, and in doing so are endangering a developer community that is absolutely full of amateurs. > The problem with npm is that the cost of entry of your "cool stuff" into the hands of a thousand trusting others is too low; there is no delineation between what is authoritative and what isn't.

I agree that npm has been a bit slow with a bunch of important features like package signing, sandboxing post-install scripts, etc. but as a counterpoint to the authoritativeness issue, I would argue that vetting and defining "authoritative" packages is a difficult problem. I'm not aware of any open/semi-open package ecosystem that has solved this problem (please do correct me if I'm wrong).

As an example in the JS world, which of lodash/ramda/underscore/functionaljs should be the/an authoritative javascript FP library? Should they all be marked authoritative? If so, what is the criteria for a new library to also be authoritative? What happens when a library is abandoned? How do you even define abandoned in an open ecosystem?

These are solvable problems, but not easy ones to reach consensus on.

The Redhat-like alternative is to have a central entity employ/pay contributors to audit and maintain libraries, but it's debatable whether npm would have grown to its current size with that model.

[sotojuan]

Lodash is not a "FP" library—it's just a utility belt. And yes, it should be the authoritative IMO as it has the most support, users, and is worked on almost full time. It can be modular and each method can be installed separately, which is awesome.

Ramda is a utility belt that sticks to pure functional practices wherever it can, something the JS community doesn't do, so it shouldn't be the authoritative.

Underscore is dead and was replaced by Lodash.

While it's hard to do the above with all kinds of libraries, there are some where it's easy.

[sotojuan]

It's taboo in npm culture (as in, the actual npm employees) to stop anyone at the gate. In fact, they actively encourage experiments of all kinds into it.

[Frondo]

What kind of vetting is occurring when you're automatically installing npm modules as you code?

But, "Novice programmers will necessarily produce novice code."

Having had my own variety of experience with CPAN, PEAR, Tcl's package thing, C by way of building my own RPMs and DEBs, and now watching the ongoing trainwreck that is npm, yes. You're right about that.