Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

You totally misunderstood my point. I wasn't talking about backdoors or supply chain attacks. When I say that a dependency downloads and executes random shit from Internet I meant it as a behavior intended to fulfill its function. The problem is that this is generally acceptable in nodejs/NPM ecosystem. In other words, the gap in dependency hygiene between nodejs/NPM and other ecosystems is huge, and users of it seems not to bother.


>When I say that a dependency downloads and executes random shit from Internet I meant it as a behavior intended to fulfill its function.

Can you give an example?

I'm aware of the banner thing, but I think that was only a few projects, and that's something else entirely.


See the link in my original post. The other things I'm aware of are ridiculous behaviors of npm packages, like create-react-app, which feels the right thing to do is to spawn my $EDITOR when it sees exception in the log (which it hides), except that the whole terminal session freezes because vim and create-react-app fight for the tty. And there are other things where authors pull in insane amount of dependencies to log in their own colorful fancy way.

But then again, I'm not that well versed in nodejs to judge by that experience alone. As I said in the middle, I'm not trying to dismiss author's work. I'm sorry for the tone of my previous replies. This comment thread I spawned is also very off-topic.


>See the link in my original post.

>Over a year ago, I was investigating using Prisma to be the ORM for a GraphQL API of a Postgres database. When doing a proof-of-concept, I discovered that under the hood @prisma/client was spinning up it's own GraphQL server that it would send requests to in order to generate SQL to send to postgres. This extra middleware layer between my frontend code and postgres generated some pretty poor performing queries that took 50% longer to complete than the queries generated by using Hasura as our whole GraphQL API.

Doesn't seem like it's worth writing off Node/JavaScript/NPM just due to this large project making a questionable design decision

>like create-react-app, which feels the right thing to do is to spawn my $EDITOR when it sees exception in the log (which it hides)

Just seems like it's Facebook's problem. I wouldn't be surprised if there's some Python package out there that does something similar. There's nothing inherent about JavaScript that makes this more likely to happen. Maybe there's something inherent about the community, but I'd really need to see a thorough empirical analysis of packages across a lot of languages before I start making judgments about that.

It might be worth making fun of a particular package if they pull in way too many other packages, but it's still all a case-by-case evaluation.

I personally strongly dislike JavaScript and much of its ecosystem, myself; it's just the kneejerk pattern-matching reaction that I thought was unwarranted.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: