SAN FRANCISCO, CA - In the wake of a devastating supply chain attack in the npm registry that left millions of enterprise applications compromised and billions of user records exposed, developers across the JavaScript ecosystem expressed deep sorrow today, lamenting that such a crisis was completely unavoidable.
“It’s a shame, but what can you do? This is just the price of building modern web apps,” said Senior Frontend Engineer Mark Vance, echoing the sentiments of a community that completely relies on a 40-level-deep nested tree of unvetted packages maintained by pseudonymous strangers to capitalize a single string. “There’s absolutely no way to foresee or prevent someone from taking over a long-abandoned utility package and injecting a crypto-miner into every production build in the world. It’s just an act of nature.”
There’s definitely a problem with the “JavaScript culture”. The whole “we’re going to make everything as easy as possible” approach has some definite negatives, but when you raise them you get accused of gate-keeping.
But like - yeah, we should be gate-keeping. At least for published and shared code. Having high standards for software development is a good thing. When you don’t you get npm.
Python suffers from this a bit as well - but not as bad as the JavaScript ecosystem where relying on a third-party package that does some trivial function is seen as “normal”.