Comment by marginalia_nu
2 years ago
We can empirically observe that NPM-sphere is relatively alone among software ecosystems to have this particular problem.
This is an indication that the problem is either with some facet of NPM itself, javascript the language or js programmers, as that is what distinguishes the ecosystem from e.g. Maven or Pip that do not suffer from the same problems, at least not to the same extent.
However, going from this observation to isolating causal factors is a lot harder, and randomly guessing isn't very likely to hit the mark.
It's two things really: a small standard library and sheer size of developer community. JS has way more developers than any other language. But if you search for "$PROGRAMMING_LANGUAGE supply chain issues" you literally find reports for all popular languages.
[1] claims that half of Python packages have security issues.
[2] says that the Rust supply chain has security issues.
just as two examples.
---
[1]: https://news.ycombinator.com/item?id=40864787
and then there's go, wherein you simply don't import anything outside of the stdlib. a stoic and rather perfect immunity to this nonsense
You're doing it again, though: are "this particular problem" and "these problems" the tea.yaml spam? The million tiny packages problem I mentioned? The fact that people online will generically attack the ecosystem without being specific about their complaints?
I'm not asking for solutions, and I'm not asking for people to identify casual factors. I'm asking for people to put a little bit more effort into their criticisms of the JS ecosystem than just "it's obviously and empirically a dumpster fire".
A lot of people have already been very specific in many other threads -- "the JS ecosystem has way too many and way too small packages and there's zero curation".
Not sure what your seemingly intended moderation is supposed to achieve but the complaints towards the JS ecosystem have been very clear for no less than 10 years.
"70% of new NPM packages in last 6 months were spam"
So we're specifically talking about the tea.yaml spam. More than any other topic that seems like one that is worth digging into details on rather than just shrugging and saying isolating causality is hard.
If we look at the chart in the original article [0] that this one is a follow up to, the NPM spam suddenly picked up around the end of February, with new packages per day first doubling and then tripling. So this 70% figure is specific to the last 6 months, not something that has been the case with the ecosystem for a long time.
That makes tracing causality much simpler: the Tea protocol seems to be pretty clearly the source of the problem. The big open question is why NPM, but the way that people jump to the conclusion that NPM being the target of this attack must have something to do with the flaws in the ecosystem smacks of victim blaming. Isn't it just as possible that NPM was targeted because it's huge? If you're going to run a massive spam campaign you do it where the people are.
Could NPM learn from this and start controlling spam better? Yes! But That's not the same thing as attributing this tea.yaml nonsense to systemic flaws in the ecosystem—spam prevention has to be balanced with usability, and the balance was pretty decent until 6 months ago.
[0] https://blog.phylum.io/digital-detritus-unintended-consequen...