> When people delegate their brains to others, their own judgment naturally deteriorates and it makes them much easier to fool
A thought as old as thoughts about thoughts are, almost:
> For this invention will produce forgetfulness in the minds of those who learn to use it, because they will not practice their memory. Their trust in writing, produced by external characters which are no part of themselves, will discourage the use of their own memory within them. You have invented an elixir not of memory, but of reminding; and you offer your pupils the appearance of wisdom, not true wisdom, for they will read many things without instruction and will therefore seem to know many things, when they are for the most part ignorant and hard to get along with, since they are not wise, but only appear wise.
The quote above is about books, from Plato's dialogue Phaedrus 14 (370-360 BCE). You by any chance feel the same about books as you feel about reusable JavaScript modules published on npm?
This plato's quote about books is too often used as something like: "someone smart was wrong about something once, hence everyone is wrong about every new thing forever"
> This plato's quote about books is too often used as something like: "someone smart was wrong about something once, hence everyone is wrong about every new thing forever"
I mean, it is fairly similar to what parent actually wrote, isn't it a relevant quote in the context? You're not actually arguing for one way or another, but simply because you've seen the quote multiple times before, it doesn't apply, or what are you trying to say?
How is the left_pad incident related to developers becoming easier to fool?
My layman’s understanding, based solely on the quote you cited, is that it criticizes books for not providing proper instruction — being just pupils, readers need a tutor. The only way this could relate to programming libraries being reused is if people didn’t even read the books back then, much like they don’t read the libraries' source code right now.
I’m by no means agreeing with the quote, nor am I against reusing programming libraries carelessly; I just don’t see how the two are related.
I dunno, Linux distros have a pretty good track record at the same problem, over multiple decades of evidence.
The difference is that they don't allow self-publication. Canonical and Red Hat et. al. work downstream of an active community of developers cross-attesting good software. So their problem becomes "This software is known to be good, let's package it!". So to get malware into the machines of users it's not enough to fool the users, you need to fool the packagers too. And it happens, but very rarely (c.f. the xzutils mess from last year).
Node and similar repositories thought they could short-circuit that process, and as has been extensively documented, it doesn't work because users are too lazy to authenticate their own software.
The lack of a batteries-included stdlib makes the JS ecosystem exceptionally vulnerable. PyPI is vulnerable to the same class of problems, but it’s an order of magnitude harder to execute a wide-reaching supply chain attack compared to NPM, since the dependency trees are far shorter on average.
In node projects, having more dependencies is usually seen as an asset, not a liability.
Other than that, I don't think there's a difference. When I write node projects, I tend to minimize dependencies, but I've seen PR comments saying "you know you could just get a package to do that".
This is an extremely weird thing to say. I don't know a single node dev who wants more dependencies. Anyone with a modicum of experience in the space knows the cost of bringing in more external code.
That’s really all there is in the comment. They’re unambiguously conflating “number of dependencies are higher” with some sort of statement about the value system of people that work with a certain language. It’s silly language tribalism.
This is an ironic statement, right? Because you’re mindlessly parroting a copy of a copy of what was once, probably, an intelligent and appropriately nuanced take? And because you’re attributing this to the “JS ecosystem” when supply chain attacks are common in many different ecosystems?
Worst of all: the article never explains what npm has to do with it. Vscode extensions are not installed via npm, so at least part of the malware depends on the Vscode extension store.
JS/TS having code reusability isn't a problem. Other ecosystems don't have the same problems not because they have package repos just as good as npm but write everything from scratch out of virtue, but because they don't have package repos just as good as npm.
I’d be curious to hear what you think that PyPI et al are doing that NPM should be copying. It sounds like you’re pretty knowledgeable in this area, to be comfortable making comments like this with such confidence.
Is this even related to npm? The extension was on the VS Code marketplace, I can't see any evidence that npm is involved at all besides that it's referenced in passing exactly once in the article:
> the need for caution when installing VS Code extensions, especially those obtained from public package registries like npm.
I'm not aware of any way to install a VS Code extension through NPM. The article honestly just reads like the author knew that Mend does a lot of business selling NPM dependency scanning and that they're therefore expected to stuff it as a keyword for SEO.
A thought as old as thoughts about thoughts are, almost:
> For this invention will produce forgetfulness in the minds of those who learn to use it, because they will not practice their memory. Their trust in writing, produced by external characters which are no part of themselves, will discourage the use of their own memory within them. You have invented an elixir not of memory, but of reminding; and you offer your pupils the appearance of wisdom, not true wisdom, for they will read many things without instruction and will therefore seem to know many things, when they are for the most part ignorant and hard to get along with, since they are not wise, but only appear wise.
The quote above is about books, from Plato's dialogue Phaedrus 14 (370-360 BCE). You by any chance feel the same about books as you feel about reusable JavaScript modules published on npm?