I wouldn't be surprised if principles in this case leave us with thousands of spam packages degrading the node ecosystem forever. It'd be exactly what I expect. So I guess I should thank the principle of consistency.
It's not even that I disagree, it's that it's a conversation killer. "The JS ecosystem is bad" has no response someone could make besides "no it's not", which is boring. "The JS ecosystem encourages using a million tiny unmaintained packages and that is bad" is a much more interesting statement that can spark a useful discussion.
This is an indication that the problem is either with some facet of NPM itself, javascript the language or js programmers, as that is what distinguishes the ecosystem from e.g. Maven or Pip that do not suffer from the same problems, at least not to the same extent.
However, going from this observation to isolating causal factors is a lot harder, and randomly guessing isn't very likely to hit the mark.
[1] claims that half of Python packages have security issues.
[2] says that the Rust supply chain has security issues.
just as two examples.
---
[1]: https://www.theregister.com/2021/07/28/python_pypi_security/
I'm not asking for solutions, and I'm not asking for people to identify casual factors. I'm asking for people to put a little bit more effort into their criticisms of the JS ecosystem than just "it's obviously and empirically a dumpster fire".
continuing on this, I wonder if this is a cultural thing or if there are actual technical choices made in NPM that play a role. Could NPM change something in their package management to change this? Should they?
Instead, what it does have is a huge prevalence of those features, and minimal size of a "safe space" where one can have some confidence they will not appear. Both of those are quantitative differences, that people can not summarize in a short comment, and people can easily dismiss with (misguided or dishonest) counterexamples.
So, what you are asking for is a full blown large scale study of several ecosystems. Somebody may do something like that, but not for a comment, and not because you asked.
All ecosystems that are sufficiently popular have terrible problems. They have different problems, but none is consistently pleasant to work with. Out of all of them, though, JS gets singled out for constant attacks because... reasons.
I just want people to identify what those reasons are so we can have a conversation about them rather than just endlessly repeating the meme.
It'd be one thing if npm added audit warnings along the lines of "3 dependencies are likely spam." It'd be a totally different story for npm to remove them automatically based on a toolset used, in the GP example.
