|
|
|
|
|
|
by wperron
1586 days ago
|
|
|
Hi, I'm one of those people in the PR advocating for this change :) I think you may have missed the point of comparing the security aspects to NPM. By saying "it's no less secure" it's not saying "well it's just as bad, so what's the point?", but rather "given that it doesn't introduce any more vulnerabilities, what does this model unlock for us?" HN comments probably aren't the best place to go in-depth on this topic, but just off the top of my head, HTTPS imports allow a greater detachment from a centralized registry, something we're seeing used a lot in the Go ecosystem, and we're moving server-side JavaScript closer to how browser JavaScript works, which is a good thing for anyone using the language, as it reduces friction across the board. This might not be something obvious for people working mostly/only on the backend, in which case those frictions aren't as apparent, but they are there nonetheless. |
|
|
I know that the people advocating for this are smart, I know you're being thoughtful about this, so forgive the simplistic question, but every package manager I'm aware of for NodeJS already supports this.
Can't people already import npm dependencies from arbitrary URLs without signing or attaching anything to the npm repository? And the other thought that jumps into my mind is, if people aren't doing that with npm that even though it's well-supported, that might be a signal that there are problems with the model of using arbitrary URLs for dependencies that make it less attractive overall to developers -- and I'm not sure how ES Imports using URLs would change or fix any of that.