←back to thread

NPM debug and chalk packages compromised

(www.aikido.dev)
1369 points universesquid | 1 comments | 08 Sep 25 15:37 UTC | HN request time: 0s | source
Show context
stathibus ◴[08 Sep 25 16:00 UTC] No.45169926[source]
As an outsider to the npm ecosystem, reading this list of packages is astonishing. Why do js people import someone else's npm module for every little trivial thing?
replies(11): >>45169990 #>>45169999 #>>45170008 #>>45170014 #>>45170015 #>>45170016 #>>45170038 #>>45170063 #>>45170879 #>>45170926 #>>45170953 #
thewebguyd ◴[08 Sep 25 16:07 UTC] No.45170014[source]
Lack of a good batteries-included stdlib. You're either importing a ton of little dependencies (which then depend on other small libraries) or you end up writing a ton of really basic functionality yourself.
replies(7): >>45170048 #>>45170122 #>>45170272 #>>45170290 #>>45170423 #>>45171054 #>>45173580 #
skydhash ◴[08 Sep 25 16:15 UTC] No.45170122[source]
But why can’t we have a good library instead of those mini thingies?
replies(5): >>45170207 #>>45170234 #>>45170459 #>>45171940 #>>45172388 #
eviks ◴[08 Sep 25 16:23 UTC] No.45170234[source]
Because a mini thing can be written in mini time by a mini number of people
replies(1): >>45174108 #
pixl97 ◴[08 Sep 25 21:16 UTC] No.45174108[source]
And a mini thing can be switched to another 'mini' package easy enough if the current package decides to do something dumb.

If your mega package decides to drop something you need you pretty much have to follow.

replies(1): >>45174942 #
1. skydhash ◴[08 Sep 25 22:31 UTC] No.45174942[source]
> If your mega package decides to drop something you need you pretty much have to follow.

Or you can code it in. Mega packages can be very stable. Think SDL, ffmpeg, ImageMagick, Freetype...There's usually a good justification for dropping something alongside a wide deprecation windows. You don't just wake up and see the project gone. It's not like the escape codes for the unix terminal are going to change overnight.