[hsbauauvhabzb]

n-1 is a great concept that works right up until log4shell starts happening.

The solution is to audit all code you rely on, the unviability of that solution is the fault of the npm micro package ecosystem.

[mac-chaffee]

The micro package ecosystem is also self-reinforcing: some micro packages were created by the same developers who have spun ownership of these things into more lucrative positions.

I've tried to get rid of micro packages in the dependency tree of popular libraries, but because it's a turf war, PRs get closed, and the problem continues.

[hsbauauvhabzb]

I don’t think anything will change until large development firms pressurise popular projects to stop the behaviour.

I hope you speak with executive and lead developers to highlight the volatility of the ecosystem, like I do, every chance I get.

[gtirloni]

Node.js just needs a proper standard library and this will stop in no time. Never going to happen though.

[hsbauauvhabzb]

Curious why that might be, if you have any insights?