[3np]

That would be a clear violation of the npm Unpublish Policy[0]. If all it takes is some spam and pissing people off to walk away from principles, they never meant anything. A proper response needs to not break expectations like this.

[0]: https://docs.npmjs.com/policies/unpublish

[bigDinosaur]

The entire NPM ecosystem is a garbage fire. Who cares about whatever 'principles' it supposedly has? Other than avoiding malware I can't think of something I care about less than whatever principles NPM / JS developers in general have because they've mostly been bad so far.

I wouldn't be surprised if principles in this case leave us with thousands of spam packages degrading the node ecosystem forever. It'd be exactly what I expect. So I guess I should thank the principle of consistency.

[lolinder]

I know it's a meme on HN to rant about the terrible JavaScript ecosystem and how bad JS developers are, but I would ask that if you're going to do it you be specific about what you mean instead of just generally accusing it of being "bad".

It's not even that I disagree, it's that it's a conversation killer. "The JS ecosystem is bad" has no response someone could make besides "no it's not", which is boring. "The JS ecosystem encourages using a million tiny unmaintained packages and that is bad" is a much more interesting statement that can spark a useful discussion.

[marginalia_nu]

We can empirically observe that NPM-sphere is relatively alone among software ecosystems to have this particular problem.

This is an indication that the problem is either with some facet of NPM itself, javascript the language or js programmers, as that is what distinguishes the ecosystem from e.g. Maven or Pip that do not suffer from the same problems, at least not to the same extent.

However, going from this observation to isolating causal factors is a lot harder, and randomly guessing isn't very likely to hit the mark.

[WA]

It's two things really: a small standard library and sheer size of developer community. JS has way more developers than any other language. But if you search for "$PROGRAMMING_LANGUAGE supply chain issues" you literally find reports for all popular languages.

[1] claims that half of Python packages have security issues.

[2] says that the Rust supply chain has security issues.

just as two examples.

---

[1]: https://www.theregister.com/2021/07/28/python_pypi_security/

[2]: https://news.ycombinator.com/item?id=40864787

[brynb]

and then there's go, wherein you simply don't import anything outside of the stdlib. a stoic and rather perfect immunity to this nonsense

[lolinder]

You're doing it again, though: are "this particular problem" and "these problems" the tea.yaml spam? The million tiny packages problem I mentioned? The fact that people online will generically attack the ecosystem without being specific about their complaints?

I'm not asking for solutions, and I'm not asking for people to identify casual factors. I'm asking for people to put a little bit more effort into their criticisms of the JS ecosystem than just "it's obviously and empirically a dumpster fire".

[pdimitar]

A lot of people have already been very specific in many other threads -- "the JS ecosystem has way too many and way too small packages and there's zero curation".

Not sure what your seemingly intended moderation is supposed to achieve but the complaints towards the JS ecosystem have been very clear for no less than 10 years.

[marginalia_nu]

"70% of new NPM packages in last 6 months were spam"

[lolinder]

So we're specifically talking about the tea.yaml spam. More than any other topic that seems like one that is worth digging into details on rather than just shrugging and saying isolating causality is hard.

If we look at the chart in the original article [0] that this one is a follow up to, the NPM spam suddenly picked up around the end of February, with new packages per day first doubling and then tripling. So this 70% figure is specific to the last 6 months, not something that has been the case with the ecosystem for a long time.

That makes tracing causality much simpler: the Tea protocol seems to be pretty clearly the source of the problem. The big open question is why NPM, but the way that people jump to the conclusion that NPM being the target of this attack must have something to do with the flaws in the ecosystem smacks of victim blaming. Isn't it just as possible that NPM was targeted because it's huge? If you're going to run a massive spam campaign you do it where the people are.

Could NPM learn from this and start controlling spam better? Yes! But That's not the same thing as attributing this tea.yaml nonsense to systemic flaws in the ecosystem—spam prevention has to be balanced with usability, and the balance was pretty decent until 6 months ago.

[0] https://blog.phylum.io/digital-detritus-unintended-consequen...

[sushibowl]

> The JS ecosystem encourages using a million tiny unmaintained packages and that is bad

continuing on this, I wonder if this is a cultural thing or if there are actual technical choices made in NPM that play a role. Could NPM change something in their package management to change this? Should they?

[brynb]

it's language-cultural. to "publish a package" in Go simply means having a public git repository. and yet, nobody who writes Go imports packages. it's well-understood that if you can't write something like leftpad (or many other JS packages) yourself in your own codebase in a few lines, you're an absolute nonce. Javascript developers on the other hand tend to skew towards the juniors in our broader ecosystem, and they seek easy and quick prestige, which leads to "star farming"/"download farming"

[lupire]

So no one uses all those Go libraries on GitHub? Hmmm except pedophiles? What is wrong with you?

[brynb]

... _what_? i don't think you parsed my comment correctly at all

to address the part of your comment that doesn't make my head spin: only very occasionally do i see senior Go developers import 3rd party libraries. i'm just speaking from my experience

[gleenn]

The Lpad fiasco was pretty bad, being able to delete libraries used by so many people. Hard to forget that.

[lolinder]

Which, incidentally, some people seem to have forgotten when suggesting that NPM should start deleting things en masse.

[pdimitar]

What other outcome than "curation" do you see as a solution of the "bloat" problem?

[3np]

One possible outcome: Start considering it a public namespace (which in practice it's been not far from for a long time).

Meaning curation falls outside it and should not be centrally and unilaterally enforced by gating the entry.

We seem to be handling the bloated .com DNS namespace just fine.

[dgfitz]

A new npm-esque?

[marcosdumay]

The JS ecosystem doesn't have any singular bad feature that other languages do not share.

Instead, what it does have is a huge prevalence of those features, and minimal size of a "safe space" where one can have some confidence they will not appear. Both of those are quantitative differences, that people can not summarize in a short comment, and people can easily dismiss with (misguided or dishonest) counterexamples.

So, what you are asking for is a full blown large scale study of several ecosystems. Somebody may do something like that, but not for a comment, and not because you asked.

[lolinder]

I ask because I don't believe the JS ecosystem is notably worse than the Python ecosystem or the Java ecosystem and I'm tired of the meme of railing on JS developers when what people are really railing against is developers in general.

All ecosystems that are sufficiently popular have terrible problems. They have different problems, but none is consistently pleasant to work with. Out of all of them, though, JS gets singled out for constant attacks because... reasons.

I just want people to identify what those reasons are so we can have a conversation about them rather than just endlessly repeating the meme.

[_heimdall]

Its not about principles in some abstract sense though, its terms if use. Package authors need to know what the rules of the road are when dedicating time to publishing to npm, and package users need to know how much they can rely on the packages they depend on still being there tomorrow.

It'd be one thing if npm added audit warnings along the lines of "3 dependencies are likely spam." It'd be a totally different story for npm to remove them automatically based on a toolset used, in the GP example.

[alright2565]

No, it isn't?

The unpublish document describes the options that users of NPM have to remove packages themselves. It was created after some situation where someone unpublished an important package.

A whole different set of terms governs which packages NPM can remove. This definitely includes these packages, either as "abusive" or "name squatting"

Not only that, but NPM's TOS makes it very clear that you have no recourse if they decide to remove your package for any reason.

[3np]

> Registry data is immutable, meaning once published, a package cannot change. We do this for reasons of security and stability of the users who depend on those packages. So if you've ever published a package called "bob" at version 1.1.0, no other package can ever be published with that name at that version. This is true even if that package is unpublished.

This statement makes assertions and sets expectations for both publishers and users. It would be senseless if npmjs would start arbitrarily "taking down" packages on their own discretion simply because they include a tea.yaml file (as proposed in the comment I replied to).

[wesselbindt]

Principles are a means to an end, not an end in themselves. The end here (presumably) is a healthy ecosystem, an end which this principle arguably harms more than it helps. Rigid and unthinking adherence to principles is dogmatic, and dogma has no place in engineering.

[lolinder]

> The end here (presumably) is a healthy ecosystem

More specifically, the end here is a package manager that doesn't randomly start break your builds because a dependency you need can just vanish from the main servers or lose files you expected to be there. That may or may not contribute to a healthy ecosystem, but it definitely contributes to widespread usage of npm.

[brynb]

if you've been duped into importing a package which has been broadly deemed as spam (but you're not looped into the public conversation about that fact enough to realize it), wouldn't "breaking the build" be a good way to get you to realize your folly and avoid the trap?

[pixl97]

No, that is but one condition of the end, but not the whole of the end.

A system is all the parts it requires to continue to exist. Widespread usage of NPM will collapse if everything on it is hot dangerous garbage that infects your CI-CD/dev box with something when you type a wrong character. There are multiple dimensions to trust. Is the package I'm using going to disappear is one. Is the package I'm using a virus is another. Is the entire NPM ecosystem going to collapse under the weight of controlled growth and hosting costs leaving me with nothing is yet another.

You need to back up and look at the whole elephant.

[dotancohen]

  Never let your principles get in the way of doing what is right.
    - Isaac Asimov

[rk06]

Pragmatism trumps principles. In this case, it is better to unpublish these packages, than turn npm registry into a bigger garbage

[huimang]

Do principles matter if a registry becomes seen as spam or a security risk due to refusing to take action?

[edflsafoiewq]

How about banning it going forward instead?