←back to thread

NPM debug and chalk packages compromised

(www.aikido.dev)
1369 points universesquid | 1 comments | 08 Sep 25 15:37 UTC | HN request time: 0s | source
Show context
stathibus ◴[08 Sep 25 16:00 UTC] No.45169926[source]
As an outsider to the npm ecosystem, reading this list of packages is astonishing. Why do js people import someone else's npm module for every little trivial thing?
replies(11): >>45169990 #>>45169999 #>>45170008 #>>45170014 #>>45170015 #>>45170016 #>>45170038 #>>45170063 #>>45170879 #>>45170926 #>>45170953 #
nine_k ◴[08 Sep 25 16:07 UTC] No.45170008[source]
Having a module for every little trivial thing allows you to only bring these modules inside the JS bundle you serve to your client. If there's a problem in one trivial-thing function, other unrelated trivial things can still be used, because they are not bundled in the same package.

A comprehensive library might offer a more neat DX, but you'd have to ship library code you don't use. (Yes, tree-shaking exists, but still is tricky and not widespread.)

replies(3): >>45170169 #>>45171158 #>>45171236 #
palmfacehn ◴[08 Sep 25 17:31 UTC] No.45171158[source]
Things like this are good illustrations as to why many feel that the entire JS ecosystem is broken. Even if you have a standard lib included in a language, you wouldn't expect a bigger binary because of the standard lib. The JS solution is often more duct tape on top of a bad design. In this case tree shaking, which may or may not work as intended.
replies(2): >>45172102 #>>45174402 #
crabmusket ◴[08 Sep 25 21:42 UTC] No.45174402[source]
I agree with you, but I'd ask- what other language needs to distribute to an unknown runtime environment over the network?

If it's the browser's job to implement the standard library, how do you ensure that all browsers do this in a compliant and timely fashion? And if not, how do you optimise code-on-demand delivery over the internet?

I don't deny there are/could be solutions to this. But historically JS devs have wrestled with these issues as best they can and that has shaped what we see today.

replies(3): >>45175045 #>>45177500 #>>45186443 #
1. int_19h ◴[09 Sep 25 18:33 UTC] No.45186443{3}[source]
> how do you ensure that all browsers do this in a compliant and timely fashion?

The ecosystem somehow manages to figure this out for things like fancy CSS gradients...