I don't get why people who even admit that they dont trust these random npm packages can think its okay to ship them in production and put all their user's data at risk. It's malpractice.
I’d love to know a metric of trust and its relation to customer data. How many trust points for how much PII? I’m assuming it’s a logarithmic scale? And a Debian stable package gets , what, double the points of an npm package? Or I guess it depends on the weekly downloads? What about pip, gems, vim plugins, emacs packages (I’m looking at you melpa) , quicklisp, ...
Then we can play an honest thought experiment: how many people satisfy that metric? Don’t forget to correct for actually how much PII points one is handling.
If you don’t at least have some consideration of those factors, claiming malpractice seems fatuous.
It's not a question of establishing an absolute scale of trust. It's about admitting that you consider npm packages to be insecure, but you run them in production anyways.
Imagine you believed that steel had a 10% chance of spontaneous combustion, regardless of whether its true or not, if you believe that and you still built a bridge out of it, that's malpractice.
Point being where is the line? How high are the stakes (bridge: say 20 human lives at any time, very important). How dangerous is it really? (10% chance of fire per year: extremely high). Then you combine those two and see if they match.
Everything has a limit. Otherwise why do you trust your compiler, your computer, your eyes, your sanity?
Be careful with a word like malpractice, and analogies that suggest blithe endangerment of human lives. It doesn’t leave a lot of room for honest engagement and suggests you either don’t understand the human mind, or the value of a human life.
You continue to miss the point. Its not a question of _why_ I trust my compiler or my computer. If you trust npm packages and ship them then that's not malpractice.
Its about admitting you _don't_ trust npm packages, but you go ahead and use them anyways. That is malpractice, because you admit you know better but take action anyways.
"I know this procedure may do more harm than good, but I will perform it anyways because I'm too lazy to find an alternative"