[Lazare]

Very displeased about this response.

> In yesterday’s case, we got it wrong, which prevented a publisher’s legitimate code from being distributed to developers whose projects depend on it. We identified the error within five minutes and followed defined processes to reverse this block. Unfortunately, the process was complicated by well-meaning members of the npm community who believed that a malicious actor or security breach was to blame and independently attempted to publish their own replacements for these packages.

No. Assuming everything in that excerpt is true (and I happen to know it's not, but that's not even relevant here), that wasn't the problem.

The problem is that NPM allowed packages to be re-uploaded by new authors after the initial versions had been spam filtered. Especially since allowing packages to be re-uploaded by new authors was the core issue of the left-pad debacle, and the one thing NPM said they'd fixed in response.

Let's summarise here:

1. NPM has a big issue

2. They claimed they had fixed it

3. They had not

4. In their post mortem they're pretending the issue doesn't exist

This guts any remaining trust I had in npm. Even if I wanted to trust them, they're not even admitting the problem exists; how am I meant to believe they're finally going to fix it? They've stopped even promising to fix this, and moved on to lies and denial.

Unacceptable. Literally. This is pushing me away from the node ecosystem because I am not prepared to accept this sort of weaponized incompetence from the primary package repo for node.

[pwaai]

With all that money they've raised, it's puzzling why they don't take PR seriously. I guess they have a mentality of "where the fuck else are you gonna go, the node community is tightly coupled to our service"

[noobermin]

It's almost as if the tech community has to learn once again centralized systems with a trusted authority at the top can't be trusted when that trusted authority makes mistakes.

[SapphireSun]

It's kind of unbelievable that NPM is a for-profit company that serves the node community for free. You can't possibly expect them to make the right choices when the community isn't whom they are directly responsible to. NPM should be a nonprofit foundation, a coop, or some other organization that has its operations funded by the community and has elected positions.

Their lack of financial or other interests in the community directly explains their policies.

[jonny_eh]

Honest question: what's the alternative?

[Lazare]

I've mentioned this elsewhere in this discussion, but: https://github.com/ramasilveyra/gitpkg

I've been using it a bit, and it's really nice. Yarn (and the npm command line tool) already provide nice methods to install packages from arbitrary locations, including git repos; this provides a nice mechanism for publishing to git repos. It's a super simple solution, but then, it's not really a hard problem.

[y0ghur7_xxx]

Publish you package on an http reachable git server and use that as location for your package.

[Silhouette]

Distributed systems. Mirrors. Tools that are agnostic about sources for packages.

There's no reason that we must have a single, centralised package repository for a language and the dominant tool chain for that language relying on it by default.

[zzzzzzzza]

nix (pkg manager). Can give you an insane amount of control of how your project builds, especially if you use nixos, but with great power comes great responsibility XD.

[jmcqk6]

>This guts any remaining trust I had in npm. Even if I wanted to trust them, they're not even admitting the problem exists; how am I meant to believe they're finally going to fix it? They've stopped even promising to fix this, and moved on to lies and denial.

The cold reality I'm realizing is: what are you going to do about it? If you have tens of thousands of lines of javascript written using dependencies from NPM, what is the next step?