> You can pretend like this is unique to JS ecosystem, but xz was compromised for 3 years.

Okay, but you're not suggesting that a compression algorithm is the same scale as "is-arrayish". I don't think everyone should need to reimplement LZMA but installing a library to determine if a value is an array is bordering on satire.

▲

4 days ago | parent | next [-]

[deleted]

▲

paulddraper 4 days ago | parent | prev [-]

FWIW, is-arrayish is primarily an internal dependency. The author (Qix) depends on it for the packages that actually get used, liked color and error-ex.

But it's all one author.

▲

craftkiller 2 days ago | parent | next [-]

It might be an internal dependency for this author, but package.json is only for direct dependencies, right? github shows is-arrayish is a direct dependency of thousands of repos: https://github.com/search?q=%22is-arrayish%22+path%253Apacka...

	▲	paulddraper 2 days ago \| parent [-]
		Yes. And npm shows 1500 direct dependent packages. [1] Vast majority are nothing. No stars, no downloads. (IDK why. What I do know is that if you crack open the node_modules for any real project, is-arrayish will be there only because of one of the Qix packages.) [1] https://www.npmjs.com/package/is-arrayish?activeTab=dependen...

▲

tkiolp4 4 days ago | parent | prev [-]

They should ban Qix.