this post was submitted on 11 Feb 2024
113 points (95.2% liked)

Programming

22019 readers
297 users here now

Welcome to the main community in programming.dev! Feel free to post anything relating to programming here!

Cross posting is strongly encouraged in the instance. If you feel your post or another person's post makes sense in another community cross post into it.

Hope you enjoy the instance!

Rules

Rules

  • Follow the programming.dev instance rules
  • Keep content related to programming in some way
  • If you're posting long videos try to add in some form of tldr for those who don't want to watch videos

Wormhole

Follow the wormhole through a path of communities !webdev@programming.dev

founded 2 years ago
MODERATORS
snowe@programming.dev
Ategon@programming.dev
MaungaHikoi@lemmy.nz
UlrikHD@programming.dev
113
When "Everything" Becomes Too Much: The npm Package Chaos of 2024 (socket.dev)
submitted 2 years ago* (last edited 2 years ago) by testeronious@lemmy.world to c/programming@programming.dev
22 comments fedilink hide all child comments
you are viewing a single comment's thread
view the rest of the comments
[–] QuazarOmega@lemy.lol 13 points 2 years ago (3 children)

This is hilarious, but now I'm wondering, what would a saner package manger look like?

[–] jeffhykin@lemm.ee 6 points 2 years ago* (last edited 2 years ago) (1 children)

Ryan Dhal, the creator of node, litterally saw the npm problem(s) before incidents like this happened, and created Deno to fix his mistakes. And fix them he did! The Deno import system is incredible. Its basically the only reason I use deno. You can just import URLs directly, the deno vendors (aka caches) them. Deno has an equivlent to npm.org (Deno.land/x) but anyone can import straight from github, or make their npm.org equivlent, or import from their own private server. So if a company wants reliability, they can mirror deno.land while also avoiding unpublishing.

[–] QuazarOmega@lemy.lol 2 points 2 years ago

Yes, that's really nice! Even though I haven't touched it in a long time, I remember messing around with it out as soon as it came out a few years ago. There's also nest.land between the alternative repositories, I find their concept interesting

[–] Masterkraft0r@discuss.tchncs.de 4 points 2 years ago

have a look at nix

[–] azertyfun@sh.itjust.works 1 points 2 years ago
  1. Like Python, have a large and featureful standard library such that > 80% of NPM packages are redundant. Other languages allow you to make very large projects with only a few tens of dependencies. JavaScript requires THOUSANDS.
  2. With this in place, stop with the recursive dependencies, immediately and forever. Every other package manager under the sun installs the dependencies next to each other.

I'd say pip is saner, though not by much as its support for private registries is very bad and seems designed to facilitate supply-chain attacks. I've heard a lot of good things about cargo but haven't used it enough myself to have a strong opinion.