[bytefish]

I feel super uneasy developing Software with Angular, Vue or any framework using npm. The amount of dependencies these frameworks take is absolutely staggering. And just by looking at the dependency tree and thousands of packages in my node_modules folder, it is a disaster waiting to happen. You are basically one phishing attack on a poor open source developer away from getting compromised.

To me the entire JavaScript ecosystem is broken. And a typo in your “npm -i” is sufficient to open up yourself for a supply-chain attack. Could the same happen with NuGet or Maven? Sure!

But at least in these languages and environments I have a huge Standard Library and very few dependencies to take. It makes me feel much more in control.

[kigiri]

Deno solves this, it's not a JavaScript Issue, it's a Node.JS / NPM issue.

[Sander_Marechal]

How does Deno solve this? Genuine question by the way. I'm not trying to be snarky.

[bytefish]

It provides a runtime, that sandboxes your application and requires you to give explicit permissions for file system operations and network requests.

This limits the attack surface, when it comes to installing malicious dependencies, that npm happily installs for you.

So yes, I was wrong and my previous comment a hyperbole. A big problem is npm, and not JavaScript.

My point about the staggering amount of dependencies still holds though.

[int_19h]

Of course, this only works so long as the sandbox is secure.

There have been attempts to do this kind of sandboxing before. Java and .NET both used to have it. Both dropped it because it turns out that properly sandboxing stuff is hard.

[ramon156]

Go kinda solves this by using repo links instead of package names. This forces you to go through the repo and copy paste the url (instead of manually typing it out), but it's not bulletproof I guess.