[jshap70]

You also inherit an entire chain of trust over code you yourself didn't write nor did anyone actually validate. The issue with leftpad.js wasn't that it was stupid, it was that it was dangerous.

[flatline]

That concern is somewhat orthogonal to the utility of a package manager itself. If you are using OSS in any way you need to pick and choose what you take on as a dependency. The package manager solves problems like distribution, dependency resolution, and discovery. The ease of use may contribute to poor decision making, which should not be wholly discounted.

[th3l3mons]

To piggy back, this also goes down the dependency chain. Leftpad wasn't bad because it was being used directly. Projects imported other libraries which either directly pulled leftpad or, more likely, pulled another library which may be the calling party or not.

[nicoburns]

You get just as much trust with officially maintained, but non-std libraries as you do from std...

[wvenable]

I disagree. Especially if those non-std libraries are built on other non-std libraries and so on. Trusting a single organization is much easier than trusting a chain of organizations.

[nicoburns]

If they are officially maintained, then by definition they are written and maintained by the same organisation as the std library.

The difference is, having an external library allows it to be versioned with breaking changes if necessary, without breaking consumers.