[peanut_worm]

I don’t understand why JS devs treat dependencies the way they do. If you are writing scripts that run on other people’s computers I feel like the dependencies used should be vetted for security constantly, and should be used minimally.

Meanwhile most libraries seem to have 80 trillion dependencies written by random github accounts called “xihonghua” or something with no other projects on their account.

[Klonoar]

There’s a wide, wide range of devs that fit in the label of “JS dev”. At the more junior or casual end, npm and cdns are shoved in your face as the way to go. It shouldn’t be surprising that it’s the natural state of things.

I’ve worked with many JS devs who also have broader experience and are more than aware of issues like these, so it just depends I guess.

The bigger issue may just be the lack of a culture that vendors their code locally and always relies on the 3rd party infrastructure (npm or cdn).

It’s somewhat similar but any Rust project I’m building, I wind up vendoring the crates I pull in locally and reviewing them. I thought it would be more annoying but it’s really not that bad in the grand scheme of things - and there should be some automated things you could set up to catch obvious issues, though I defer to someone with more knowledge to chime in here.

This may be an extra level of headache with the JS ecosystem due to the sheer layers involved.

[Hightleyez]

Combine that with electron and auto update everything

I've seen dev include scripts from templates when the app was for banks internal users and intranet only. They are clueless

[butterNaN]

Just want to point out that there's nothing wrong with having a chinese username alone

[ricardobayes]

Because that is how the tutorials on "web development" teach it. Just use this thing and don't ask what it is.

[nullc]

and Meanwhile Meanwhile, years after it was well known that the JS dependency model was an utter security disaster the rust ecosystem went on to copy it.