| ▲ | WD-42 2 hours ago |
| I mostly agree. But NPM is special, in that the exposure is so much higher. The hypothetical python+htmx web app might have 10s of dependencies (including transitive) whereas your typical Javascript/React will have 1000s. All an attacker needs to do is find one of many packages like TinyColor or Leftpad or whatever and now loads of projects are compromised. |
|
| ▲ | lucideer 31 minutes ago | parent | next [-] |
| > NPM is special, in that the exposure is so much higher. NPM is special in the same way as Windows is special when it comes to malware: it's a more lucrative target. However, the issue here is that - unlike Windows - targetting NPM alone does not incur significantly less overhead than targetting software registries more broadly. The trade-off between focusing purely on NPM & covering a lot of popular languages isn't high, & imo isn't a worthwhile trade-off. |
|
| ▲ | skydhash 2 hours ago | parent | prev | next [-] |
| Stuff like Babel, React, Svelte, Axios, Redux, Jest… should be self contained and not depend on anything other than being a peer dependency. They are core technological choices that happens early in the project and is hard or impossible to replace afterwards. |
| |
| ▲ | WorldMaker 18 minutes ago | parent [-] | | - I feel that you are unlikely to need Babel in 2025, most things it historically transpiled are Baseline Widely Available now (and most of the things it polyfilled weren't actually Babel's but brought in from other dependencies like core-js, which you probably don't need either in 2025). For the rest of the things it still transpiles (pretty much just JSX) there are cheaper/faster transpilers with fewer external dependencies and runtime dependencies (Typescript, esbuild). It should not be hard to replace Babel in your stack: if you've got a complex webpack solution (say from CRA reasons) consider esbuild or similar. - Axios and Jest have "native" options now (fetch and node --test). fetch is especially nice because it is the same API in the browser and in Node (and Deno and Bun). - Redux is self-contained. - React itself is sort of self-contained, it's the massive ecosystem that makes React the most appealing that starts to drive dependency bloat. I can't speak to Svelte. |
|
|
| ▲ | johnisgood 2 hours ago | parent | prev [-] |
| Well, your typical Rust project has over 1000 dependencies, too. Zed has over 2000 in release mode. |
| |
| ▲ | spoiler 28 minutes ago | parent [-] | | Not saying this in defence of Rust or Cargo, but often times those dependencies are just different versions of the same thing. In a project at one of my previous companies, a colleague noticed we had LOADS of `regex` crate versions. Forgot the number but it was well over 100 | | |
| ▲ | treyd 8 minutes ago | parent [-] | | That seems like a failure in workspace management. The most duplicates I've seen was 3, with crates like url or uuid, even in projects with 1000+ distinct deps. |
|
|
