Comment by vladvasiliu
2 years ago
I don't use NPM, but that means NPM's behavior isn't that great and maybe shouldn't be an example for others to follow.
Linux package managers with which I'm familiar will absolutely prompt you with the list of dependencies they'll install when you ask for some package and give you the possibility of bailing out.
From the report on Github it seems like Zed will also download LSP for other languages without prompting, so it is initially an issue with Zed, but enhanced by the fact that NPM is misused. It should be noted that other package managers can also run post install scripts.
That being said, I also don't use NPM and actively discard any software that requires me to run an NPM command. It's somewhat funny to me that people are complaining that Python have a package management problem, while we at the same time have NPM which basically took the ideas from Python and said "What if we made this worse?".
The worst NPM misuse, from my perspective, is people viewing NPM as a platform agnostic package manager. I can understand not wanting to build .deb, .rpm and Brew packages, but that doesn't mean that just plunking a pre-build binary into NPM is a good choice.
I don't think NPM is a model for anyone to follow to be honest, my gripe is just the hill to die on isn't Zed for this issue.