Comment by bilekas
2 years ago
I agree with you, it's a standalone package. It can be assumed to have some setup permissions. Also it's far better than the packaging the remote code with the installer or binary.
The same people who will complain about this do t really understand how package managers work also. Take npm as an example, you manually install one package. You do not consent explicitly to have all of its dependencies added also.
This sounds like typical Reddit behaviour.
As you said, a better approach would have been to ask the maintainers to mention it in the readme. No drama required.
I don't use NPM, but that means NPM's behavior isn't that great and maybe shouldn't be an example for others to follow.
Linux package managers with which I'm familiar will absolutely prompt you with the list of dependencies they'll install when you ask for some package and give you the possibility of bailing out.
From the report on Github it seems like Zed will also download LSP for other languages without prompting, so it is initially an issue with Zed, but enhanced by the fact that NPM is misused. It should be noted that other package managers can also run post install scripts.
That being said, I also don't use NPM and actively discard any software that requires me to run an NPM command. It's somewhat funny to me that people are complaining that Python have a package management problem, while we at the same time have NPM which basically took the ideas from Python and said "What if we made this worse?".
The worst NPM misuse, from my perspective, is people viewing NPM as a platform agnostic package manager. I can understand not wanting to build .deb, .rpm and Brew packages, but that doesn't mean that just plunking a pre-build binary into NPM is a good choice.
I don't think NPM is a model for anyone to follow to be honest, my gripe is just the hill to die on isn't Zed for this issue.