[twelve40]

how um is this different from pypi or public repos in other languages... you could try to publish junk anywhere

[wswope]

The lack of a batteries-included stdlib makes the JS ecosystem exceptionally vulnerable. PyPI is vulnerable to the same class of problems, but it’s an order of magnitude harder to execute a wide-reaching supply chain attack compared to NPM, since the dependency trees are far shorter on average.

[bdhcuidbebe]

With tensorflow and more recently local llm:s, running say ollama pulls in a scary amount of precompiled binaries from god knows where.

Just mentioning these because they are trendy.

Regarding the general issue, it can happen in any language with package management.

Its not reasonable to just yell js sucks because I’ve seen it in bunch of places by now.

[recursive]

In node projects, having more dependencies is usually seen as an asset, not a liability.

Other than that, I don't think there's a difference. When I write node projects, I tend to minimize dependencies, but I've seen PR comments saying "you know you could just get a package to do that".

[girvo]

> In node projects, having more dependencies is usually seen as an asset, not a liability

Not in anywhere I've worked for the past ~decade...

[recursive]

Replies seem to be indicating my experience is the outlier. That's reassuring to me.

[girvo]

It was definitely the case prior, though, so you're not completely off base :)

[Fauntleroy]

This is an extremely weird thing to say. I don't know a single node dev who wants more dependencies. Anyone with a modicum of experience in the space knows the cost of bringing in more external code.

[cluckindan]

”Usually”?

Do you have some statistics on that, or do you just feel that way?

[recursive]

Just feel that way. That's my anecdotal observation. YMMV.

[wswope]

[Misread, mb - ty @Jarwain]

[Jarwain]

You may have mixed up who the commenter was replying to. They were specifically questioning "usually seen as an asset not a liability" bit

[bolognafairy]

That’s really all there is in the comment. They’re unambiguously conflating “number of dependencies are higher” with some sort of statement about the value system of people that work with a certain language. It’s silly language tribalism.