[krzyk]

I'm a bit new to rust or npm system.

But I always thought NPM was what the author describes - just a random set of packages with git sources, which I thought was the main issue (leftpad etc.). Isn't that the case?

What about one system that just works and is there for "ages": maven repository?

[zdragnar]

NPM doesn't require any version control, it's just a repository for files. The "main" issue (if one could be called such) around leftpad is that the types of ranges that could be specified for grabbing versions was very loose, and many dependencies of dependencies might just grab whatever is "latest".

Then, when someone throws a fit, they upload a broken version to NPM, and everyone downstream is SOL (or the package is given over to a malicious maintainer, or the maintainer is hacked, etc).

Heck, NPM doesn't (didn't?) require a license either. One of my former employers never let us use Webpack 1.x because it depended on something that depended on something that depended on a package from the very early days of NPM that didn't come with a license (it was by isaacs iirc, so it was meant to be public, but the version specified wasn't licensed). It wasn't until webpack 2.x that the versions were updated enough that all of the dependencies were formally open source.