(www.aikido.dev)

1369 points universesquid | 2 comments | 08 Sep 25 15:37 UTC | HN request time: 0s | source

https://github.com/advisories/GHSA-8mgj-vmr8-frr6

Show context

stathibus ◴[08 Sep 25 16:00 UTC] No.45169926[source]▶

As an outsider to the npm ecosystem, reading this list of packages is astonishing. Why do js people import someone else's npm module for every little trivial thing?

replies(11): >>45169990 #>>45169999 #>>45170008 #>>45170014 #>>45170015 #>>45170016 #>>45170038 #>>45170063 #>>45170879 #>>45170926 #>>45170953 #

thewebguyd ◴[08 Sep 25 16:07 UTC] No.45170014[source]▶

>>45169926 #

Lack of a good batteries-included stdlib. You're either importing a ton of little dependencies (which then depend on other small libraries) or you end up writing a ton of really basic functionality yourself.

replies(7): >>45170048 #>>45170122 #>>45170272 #>>45170290 #>>45170423 #>>45171054 #>>45173580 #

skydhash ◴[08 Sep 25 16:15 UTC] No.45170122[source]▶

>>45170014 #

But why can’t we have a good library instead of those mini thingies?

replies(5): >>45170207 #>>45170234 #>>45170459 #>>45171940 #>>45172388 #

1. progbits ◴[08 Sep 25 16:39 UTC] No.45170459[source]▶

>>45170122 #

For C++ there are Boost, Folly, Absl, several more large libraries with reputable orgs behind them. I'm surprised someone doesn't make a big npm lib like that.

Not hating on the author but I doubt similar compromise would happen to Facebook or Google owned package.

replies(1): >>45170658 #

2. ChocolateGod ◴[08 Sep 25 16:54 UTC] No.45170658[source]▶

>>45170459 (TP) #

> doesn't make a big npm lib like that.

People have done, but the ecosystem has already engrossed around the current status quo and it's very hard to get rid of habits.

example https://github.com/stdlib-js/stdlib

↑

NPM debug and chalk packages compromised