| ▲ | layer8 10 hours ago |
| For some reason, NPM is the only ecosystem with substantial issues with supply-chain attacks. |
|
| ▲ | SoKamil 9 hours ago | parent | next [-] |
| Popularity |
| |
| ▲ | fsflover 2 hours ago | parent [-] | | The number of issues is disproportionately larger than the one for Debian. |
|
|
| ▲ | techterrier 10 hours ago | parent | prev | next [-] |
| apart from that python one the other day |
|
| ▲ | indy 9 hours ago | parent | prev | next [-] |
| The culture within the npm/js community has mainly been one of using the package manager rather than "re-inventing the wheel", as such the blast radius of a compromised package is much greater |
| |
| ▲ | progmetaldev 5 hours ago | parent | next [-] | | It's more to do with the standard library being so barren of common application needs, and looking for a solution that the community has gotten behind. Axios has been a common dependency in many codebases, because it is a solid solution that many have already used. Every developer could try building all the libraries that they would reach for themselves, but then each company has now taken on the task of ensuring their own (much larger) codebase is free from security issues, on top of taking care of their own issues and bugs. | |
| ▲ | christophilus 7 hours ago | parent | prev [-] | | It’s not just NPM, though. Every Rails project and every Rust project I’ve seen ended up with massive numbers of dependencies vs what an equivalent project in Go or C# would have needed. | | |
| ▲ | 5 hours ago | parent | next [-] | | [deleted] | |
| ▲ | anthk 4 hours ago | parent | prev [-] | | CPAN too, just try Hailo under Perl to test an old-fashioned chatbot based on Markov chains where very small LLM's and Hailo converge if used with the advanced training options for it. Yes, it will pull tons of dependencies, (less with cpanminus if run with 'cpanm -n Hailo'), but contrary to NPM, Pip and the like CPAN's repos are highly curated and before PHP and ubiquitoous Python Perl was used everywhere, from a sysadmin language (better than Bash/Sh for sure) to CGI, IRC bots and whatnot. How many issues did we have? Zero or near zero. |
|
|
|
| ▲ | rvz 5 hours ago | parent | prev [-] |
| It is because it has the lowest barrier to entry with no quality control. Ever. This is what happens when there is no barrier to entry and it includes everyone who has no idea what they are doing in charge of the NPM community. When you see a single package having +25 dependencies, that is a bad practice and increases the risk of supply chain attacks. Most of them don't even pin their dependencies and I called this out just yesterday on OneCLI. [0] It just happens that NPM is the worst out of all of the rest of the ecosystems due to the above. [0] https://news.ycombinator.com/item?id=47577183 |
