NPM is a complete security failure because people use it as a CDN and even rely on future versions of whatever modules they use, without doing any kind of A/B testing or review before blindly shoving anything newly released into production.

When you have small modules downloaded 5 trillion times a second, depend on other small modules downloaded 67 septillion times a millisecond and where people often times rely on “future” versions, without even locking down to any specific known version. This combined with people just blindly trusting anyone on the internet to take over a module.

That’s when you get these absurd scenarios. Because JavaScript projects have 500 megajillion dependencies and nobody ever reviews anything.

Many JS developers act like collecting dependencies is a good thing, like collecting stickers you can put on your laptop and put in your resume “I know a gajillion different modules, look at me!”. Any project with more dependencies than what you can count on one hand is nothing but bloat, and a liability.




Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Alex Hultman

Alex Hultman

More from Medium

League of Legends patch 12.4 notes: Renata debut, Zeri nerfs, Shockblade skins

Going Above and Beyond with Porting for Medal of Honor

Idea: Build an index fund using Rari Capital’s Yield Aggregator Codebase

Real and Virtual Worlds,Submergency VR Installation Experience Progress