Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
zachrip 4 hours ago

I can tell a lot about a dev by the fact that they single out npm/js for this supply chain issue.

brobdingnagians 3 hours ago | parent | next [-]

Lots of languages ecosystems have this problem, but it is especially prominent in JS and lies on a spectrum. For comparison, in the C/C++ ecosystem it is prominent to have libraries advertising that they have zero dependencies and header only or one common major library like Boost.

cedws an hour ago | parent | prev | next [-]

The JavaScript ecosystem has a major case of import-everything disease that acts as a catalyst for supply chain attacks. left-pad as one example of many.

RUnconcerned 3 hours ago | parent | prev | next [-]

What other language ecosystems have had this happen systematically? This isn't even the first time this month!

johnisgood 2 hours ago | parent | next [-]

Rust.

blueflow 2 hours ago | parent | prev [-]

Python/PyPi.

lithos 3 hours ago | parent | prev | next [-]

Just more engineering leaning than you. Actual engineers have to analyze their supply chains, and so makes sense they would be baffled by NPM dependency trees that utterly normal projects grow into in the JavaScript ecosystem.

zachrip 3 hours ago | parent [-]

Do you think companies using node don't analyze supply chains? That's nonsense. Have you cargo installed a rust app recently? This isn't just a js issue. This needs to be solved across the industry and npm frankly has done a horrible job at it. We let people with billions of downloads a month with recently changed password/2fa publish packages? Why don't we pool assets as a collective to scan newly published packages before they're allowed to be installed? These types of things really should exist across all package registries (and my really hot take is that we probably don't need a registry for every language, either!).

pclmulqdq an hour ago | parent | next [-]

It is solved across the industry for those who care. If you use cargo, npm, or a python package manager, you may have a service that handles static versioning of dependencies for security purposes. If you don't, you aren't generally working in a language that encourages so much package use.

LaGrange an hour ago | parent | prev [-]

> Do you think companies using node don't analyze supply chains?

I _know_ many don’t. In fact suggesting doing it is a good way to be looked at like a crazy person and be told something like “this is a yes place not a no place.”

3 hours ago | parent | prev | next [-]
[deleted]
hsbauauvhabzb 4 hours ago | parent | prev | next [-]

That they’ve coded in more than one language?

Aeolun 3 hours ago | parent | prev [-]

I think it’s just that a lot of old men don’t like how popular it has become with script kiddies.