[young_unixer]

On one hand, I don't want to be anywhere near protestware when it comes to my work or the tools I use.

On the other hand, Javascript developers have a whole different culture than the developer circles I like to frequent. In npm-land, the societal expectations of quality and solemnity (for lack of a better word) are lower, and this kind of behaviour is even celebrated if it favors the "right cause".

The last two cases we've seen (faker/colors, node-ipc) just took it one step further, but we've seen a lack of seriosness from both the npm organization and the community during the last... what? 6 years?. At this point, if you stay in the whole npm ecosystem, it's understood that you do so at your own risk.

[duxup]

>Javascript developers have a whole different culture than the developer circles I like to frequent.

Most Javascript developers I know are just writing code and that's what they're concerned with.

Vocal voices on twitter or etc != most Javascript developers.

I'd argue most vocal folks on forums or etc don't represent most developers of any given language.

[HideousKojima]

Sure, just like most men aren't violent criminals but men are still statistically more likely to be violent criminals. The point is that JS devs seem (perhaps a proper statistical study will show otherwise) more likely per capita to shit up their ecosystem. There are several reasons contributing to this (the limited JS standard lib being a big one) but a major part of it really seems to be that JS devs are a different breed.

I've never seen controversies like this in the .NET/Nuget ecosystem, the only controversies I've ever seen there are over libraries changing licenses to make the authors more money, and controversies over Microsoft exercising too much control over the ecosystem.

[Tade0]

> but a major part of it really seems to be that JS devs are a different breed.

Can you really make such generalizations considering there are millions of JS devs, some of them not working exclusively in this language?

[throwaway7033]

Here are some package counts(http://www.modulecounts.com/) for different platforms:

* npm - (1,916,619)

* Maven - (465,713)

* NuGet - (299,957)

npm has about 2.5 times the number of packages as Maven and NuGet combined; it's not surprising that it has more drama than other ecosystems.

[pbourke]

> I've never seen controversies like this in the .NET/Nuget ecosystem

Some .NET ecosystem projects have put political messages on their documentation over the past couple of years.

[gs17]

I think they meant "controversies" more in the "adding malware to a common dependency" sense.

[devmunchies]

> men are still statistically more likely to be violent criminals

I think your meant criminals are more likely to be men.

[HideousKojima]

No, I meant exactly what I said, more men are violent criminals per capita than women. What you said is also true, but it's not what I meant.

[NhanH]

Moreover, unless we are talking about a very unusual subset of the population, the ratio of men:women is always almost 1:1, which renders the two statement functionally equivalent

[devmunchies]

Oh you meant in relation to women. I misinterpreted that you were saying if you pick 10 men, then over 5 of them are violent criminals.

[lobocinza]

They're equivalent, in this case.

[gruez]

They're both talking about the same phenomena and are technically correct, but the framing is different. Specifically, the latter wording tries to defuse blame on males.

[nimih]

> I'd argue most vocal folks on forums or etc don't represent most developers of any given language.

Sure, but for some reason, this stuff seems to only happen in the JS community (at least to my knowledge and recollection, which admittedly may be faulty). Maybe it's the fault of the tooling or the language, but python is another popular language which has historically had quite a messy answer to dependency management, and I don't remember ever hearing about an open source python developer throwing a hissy fit and trying to wipe the hard drives of everyone who uses their software.

[duxup]

>this stuff seems to only happen in the JS community

What stuff? Drama? That happens everywhere.

Malware? That stuff happens a lot of places, maybe npm makes it more accessible but that's just a technical hurdle ... doesn't mean it wouldn't happen elsewhere if folks could do it easily.

[nimih]

I'm talking about the particular sort of incident mentioned in the grandparent post, where a dev gets a bee in their bonnet about something or other and decides to purposefully screw over their users. Other ecosystems have had supply chain attacks of course, but something about JS seems to really encourage turning run-of-the-mill internet drama into CVEs and broken software.

Maybe, as you say, it's a technological problem. However, if that's the case, it's an eminently solvable one, as evidenced by the fact that I've never in my life had to avoid bumping my Java dependencies because I'm worried my CI pipeline will be overrun with heart emojis, and the fact that the JS community has not solved it just points to a different kind of un-seriousness.

[edgyquant]

I don’t think it is understood. Most people who write JavaScript aren’t keeping up with the latest drama. I hadn’t seen any of these political complaints before this thread and I’m a lead engineer on a full stack typescript stack. Not that I have an opinion either way I just don’t think you can reasonably expect devs to keep up with stuff like this.

[ocdtrekkie]

I think if you pull in code from all sorts of random people across the Internet, you probably absolutely should have some idea what risks that entails, and stay aware of the "latest drama", so you know when running "npm update" is likely to ruin the rest of your day.

Of course, the ideal solution is just to not use an ecosystem where pulling in code from all sorts of random people is common.

[edgyquant]

Hard disagree. Needing to follow the politics of every piece of your tech stack is a ridiculous way of doing things. We should have a system to verify if a module is malicious or not, that’s an engineering problem, politicking about in open source communities is not. Engineers should be engineering things.

[ocdtrekkie]

You can not engineer away human problems. I agree that's a ridiculous way of doing things, but it's the only reasonable way to use Node! Which is to say, I think Node is not a great tech stack if you do not want to follow drama.

Adding an antivirus scanner to your Node project is not going to fix this. It certainly hasn't solved the malware issue in the last few decades for PCs.

[edgyquant]

At the very least don’t task your principle engineer with solving human problems then. I stand by my initial comment that that is a waste of a good engineers time and mental health.

[ep103]

I think keeping up on things like this is the bare minimum expectation I would have of any lead developer worth his or her salt, because keeping up on things like this is a fundamental aspect of knowing the technological ecosystem in which you claim to have the skills and knowledge in which to make decisions about things like which technical ecosystem your entire team should be using.

Whether or not most engineers _do_ keep up on things like this, is a different question. But that's why there's a large range in salaries for similar positions across our industry.

[duxup]

>I think keeping up on things like this

Keeping up on actual code related concerns yeah. Internet drama, no.

[Aspie96]

There is a very very very big difference between low quality and straight up malware, though.

I would never get angry because of a package which doesn't work properly. I didn't pay for it and I treat it as essentially a social media post. It should be assumed broken until proven functional.

But there is no "right cause" for spreading actual malware.