Nah…

Everybody knows npm is a gaping security issue waiting to happen. Repeatedly.

It’s convenient, so it’s popular.

Many people also don’t vendor their own dependencies, which would slow down the spread at the price of not being instantly up to date.

▲

dabockster 4 days ago | parent | next [-]

> Many people also don’t vendor their own dependencies, which would slow down the spread at the price of not being instantly up to date.

npm sold it really hard that you could rely on them and not have to vendor dependencies yourself. If I suggested that a decade ago in Seattle, I would have gotten booed out of the room.

▲

marcus_holmes 3 days ago | parent [-]

I have repeatedly been met with derision when pointing out what a gaping security nightmare the whole Open Source system is, especially npm and its ilk.

Yet here we are. And this is going to get massively worse, not better.

	▲	Intermernet 3 days ago \| parent [-]
		Nothing specific to open source is to blame in this instance. The author got phished. Open source software often has better code vetting and verification than closed source software. npm, however, does not.

▲

johnisgood 3 days ago | parent | prev | next [-]

Convenient, as in the barrier to entry is way too low. I am pretty much against it.

▲

albedoa 3 days ago | parent | prev [-]

> Nah…

I mean, I believe you, but the person you are replying to obviously believes that they are similar. Could you explain the significant differences?