What's funnier to me is none of them seem to want to abandon npm which keeps getting exploited and hacked. NPM has been the source of just how many industry wide hacks? Three major ones, and a massive supply-chain industry wide campaign against npm. But yeah, bun is the real concern here.

I think we need to smell the coffee and review npm and scrutinize it because it is getting dangerously out of hand.

▲

pier25 an hour ago | parent | next [-]

> none of them seem to want to abandon npm which keeps getting exploited and hacked

Do you know of a better alternative for JS/TS that has all the popular packages?

	▲	rglover 17 minutes ago \| parent [-]
		Not perfect, but I use Verdaccio to run my own npm server and for third party deps, I clone, eval, and then if it's clean, push a safe copy to my own server (not for everything, just the most sensitive, hardcore stuff but eyeballing building a tool to semi-automate it due to recent chaos). You can even clone from remote URLs (point to a tarball from package.json instead of a version) so I've considered just using a private bucket. Tedious, but makes the "npm hacked again" posts mostly moot.

▲

TiredOfLife 2 hours ago | parent | prev | next [-]

Also Rubygems, Packagist, PyPi

▲

baggy_trough an hour ago | parent [-]

What's the worst hack to affect users of rubygems?

	▲	pwdisswordfishs 41 minutes ago \| parent [-]
		DHH, of course.

▲

tankenmate 4 hours ago | parent | prev [-]

From my perspective it is a synthesis of "It is difficult to get a man to understand something, when his salary depends upon his not understanding it." and "but npm is the source of all the shiny shiny!".