[joeyhage]

Most people know this but the _real_ reason it explains things is that GitHub is owned by Microsoft. Oh, and Microsoft moved GitHub to Azure

[amitport]

To be fair, NPM sucked long before it got acquired by Github/Microsoft.

And to be fair 2: The other package repos also suck.

[jbverschoor]

Yeah, but the azure supply chain attack explains why all of a sudden they can make this change.

It seems that if you want to get something important changed in npm, you simply need exploit some of its short comings against Microsoft instead of discussing why it’s necessary.

[creesch]

> And to be fair 2: The other package repos also suck.

If you mean other languages, then yeah a lot of similar issues and weirdness there as well. Maven dependencies in any complex project are a "fun" challenge as well.

Though the sort of recurring supply chain attacks you see within the npm ecosystem is something I haven't seen elsewhere to this degree.

[tempay]

To be fair, the entire problem space sucks and I’m not sure it’s possible not to.

[hinkley]

Maybe I have nostalgia blinders on but I do NOT remember putting up with this much bullshit in the Ruby ecosystem and I didn't even like ruby. Gemfiles were pretty okay, and gemfiles are what everyone assumed npm would be a copy of.

It wasn't.