←back to thread

NPM debug and chalk packages compromised

(www.aikido.dev)
1369 points universesquid | 10 comments | 08 Sep 25 15:37 UTC | HN request time: 0.201s | source | bottom
Show context
stathibus ◴[08 Sep 25 16:00 UTC] No.45169926[source]
As an outsider to the npm ecosystem, reading this list of packages is astonishing. Why do js people import someone else's npm module for every little trivial thing?
replies(11): >>45169990 #>>45169999 #>>45170008 #>>45170014 #>>45170015 #>>45170016 #>>45170038 #>>45170063 #>>45170879 #>>45170926 #>>45170953 #
thewebguyd ◴[08 Sep 25 16:07 UTC] No.45170014[source]
Lack of a good batteries-included stdlib. You're either importing a ton of little dependencies (which then depend on other small libraries) or you end up writing a ton of really basic functionality yourself.
replies(7): >>45170048 #>>45170122 #>>45170272 #>>45170290 #>>45170423 #>>45171054 #>>45173580 #
1. skydhash ◴[08 Sep 25 16:15 UTC] No.45170122[source]
But why can’t we have a good library instead of those mini thingies?
replies(5): >>45170207 #>>45170234 #>>45170459 #>>45171940 #>>45172388 #
2. zahlman ◴[08 Sep 25 16:21 UTC] No.45170207[source]
Because you have to figure out what should be in it, and coordinate the distribution. It's not like there's a reference implementation of JavaScript maintained by a well-known team that you consciously install everywhere that you need it.
replies(1): >>45171550 #
3. eviks ◴[08 Sep 25 16:23 UTC] No.45170234[source]
Because a mini thing can be written in mini time by a mini number of people
replies(1): >>45174108 #
4. progbits ◴[08 Sep 25 16:39 UTC] No.45170459[source]
For C++ there are Boost, Folly, Absl, several more large libraries with reputable orgs behind them. I'm surprised someone doesn't make a big npm lib like that.

Not hating on the author but I doubt similar compromise would happen to Facebook or Google owned package.

replies(1): >>45170658 #
5. ChocolateGod ◴[08 Sep 25 16:54 UTC] No.45170658[source]
> doesn't make a big npm lib like that.

People have done, but the ecosystem has already engrossed around the current status quo and it's very hard to get rid of habits.

example https://github.com/stdlib-js/stdlib

6. skydhash ◴[08 Sep 25 17:56 UTC] No.45171550[source]
Node is pretty much everywhere regarding JavaScript cli and web apps (server side). As for the web it’s hard to argue for a slim library when most sites are dumping huge analytics bundle on us.

At this point, it’s just status-quo and lazyness

7. mhitza ◴[08 Sep 25 18:26 UTC] No.45171940[source]
Because "look at how many open source packages I maintain!"

At a time small JS libraries were desired, and good library marketing approach, but nowadays simple sites ship megabytes of without a care.

In particular this developer is symptomatic of the problem of the NPM ecosystem and I've used him multiple times as an example of what not to do.

8. jamesnorden ◴[08 Sep 25 19:01 UTC] No.45172388[source]
The JS ecosystem values quantity over quality, for some bizarre reason.
9. pixl97 ◴[08 Sep 25 21:16 UTC] No.45174108[source]
And a mini thing can be switched to another 'mini' package easy enough if the current package decides to do something dumb.

If your mega package decides to drop something you need you pretty much have to follow.

replies(1): >>45174942 #
10. skydhash ◴[08 Sep 25 22:31 UTC] No.45174942{3}[source]
> If your mega package decides to drop something you need you pretty much have to follow.

Or you can code it in. Mega packages can be very stable. Think SDL, ffmpeg, ImageMagick, Freetype...There's usually a good justification for dropping something alongside a wide deprecation windows. You don't just wake up and see the project gone. It's not like the escape codes for the unix terminal are going to change overnight.