[dmitriid]

> And we have lock files to verify integrity.

Where do you et these lockfiles files from?

> This is no different to module loading in Node.

This is very much different from module loading in Node: https://news.ycombinator.com/item?id=29871936

> If you don’t trust your registry, you should not be loading code from it!

So you immediately pinpointed the difference: with Node I can run my own registry and easily set up npm/yarn to never load packages from anywhere else. Deno loads code from random urls.

[lucacasonato]

> So you immediately pinpointed the difference: with Node I can run my own registry and easily set up npm/yarn to never load packages from anywhere else. Deno loads code from random urls.

Which is why we support a) import maps which allow you to rewrite all URLs however you want, and b) HTTP_PROXY, which allows you to intercept all HTTP traffic (also letting you rewrite all specifiers).

I don't know if you have ever worked on a Go project, but it has a very similar registry proxy situation as Deno. It works well.

[vorticalbox]

> Where do you et these lockfiles files from?

I don't know about any lock files but the `version` it locked via the import url E.G import R from 'https://deno.land/x/rambda@v7.0.1'

[dmitriid]

This brings us back to the fact that Deno loads random files from random URLs with no way to change it. https://news.ycombinator.com/item?id=29871936

[lucacasonato]

> with no way to change it

You are so wrong. If you would have done maybe 3 minutes of Googling you would know we support import maps, which allow you to arbitrary rewrite specifiers, even deep inside of the module graph.

[vorticalbox]

sure but is that not how a browser works?

for example to add bootstrap to a site you import like this

<script src="https://cdn.jsdelivr.net/npm/bootstrap@5.1.3/dist/js/bootstr..." integrity="sha384-ka7Sk0Gln4gmtz2MlQnikT1wXgYsOg+OMhuP+IlRH9sENBO0LRn5q+8nbTov4+1p" crossorigin="anonymous"></script>

which is exactly the same as deno's "loads random files from random URLs"

[dmitriid]

> sure but is that not how a browser works?

Deno is not a browser.

> for example to add bootstrap to a site you import like this

I know how to import a file in a browser. However, Deno is not a browser. The whole subthread is about managing dependencies, which Deno fails at, and its proponents come up with the most ridiculous things to justify it.

[Longwelwind]

> Where do you et these lockfiles files from?

At dev time, you generate a lock file of the hashes of your dependencies. You commit this file to your code repository.

When getting dependencies, the hash of the downloaded dependency is compared to the one in the lockfile.

[dmitriid]

> At dev time, you generate a lock file of the hashes of your dependencies.

So. At dev time. You download random files from random urls via Deno.

Compared to: At dev time you download files from a trusted repository. https://news.ycombinator.com/item?id=29871936

[Longwelwind]

NPM is not a trusted repository, I think. There are no checks done to the content of the packages uploaded by users. It's up to you to make sure that what you add to your project doesn't contain malware/vulnerabilities.

If you use a lockfile, downloading a package from NPM or directly using a random URL is conceptually the same, since they are both untrusted sources. Having a lockfile will ensure that if you download a dependency to review it for vulnerabilities, later re-downloads of the dependency will not have changed files.

[dmitriid]

> NPM is not a trusted repository

It's not. But it's rather trivial to run your own registry, and many (most?) companies do exactly that.

> It's up to you to make sure that what you add to your project doesn't contain malware/vulnerabilities.

That's why, again, many companies run their own registries, and don't download random files from the internet.

> Having a lockfile will ensure that if you download a dependency to review it for vulnerabilities, later re-downloads of the dependency will not have changed files.

And to generate that lockfile... you need to first download a random file from the internet. Got you.