Comment by muppetman
4 days ago
You might not be old enough to remember how much everyone hated JavaScript initially - just as an in-browser language. Then suddenly it's a standalone programming language too? WTH??
I assume that's where a lot of the hate comes from. Note that's not my opinion, just wondering if that might be why.
JavaScript is actually fine as the warts have been documented. The main issue these days is the billions of tiny packages. So many people/org to trust for every project that uses npm.
Nobody is forcing you to use the tiny packages.
The fact that the tiny packages are so popular despite their triviality is, to me, solid evidence that simply documenting the warts does not in fact make everything fine.
And I say this as someone who is generally pro having more small-but-not-tiny packages (say, on the order of a few hundred to a few thousand lines) in the Python ecosystem.
The point is that Zed's developers have chosen to include prettier, which probably transitively includes many other NPM packages.
Node and these NPM packages represent a large increase in attack surface for a relatively small benefit (namely, prettier is included in Zed so that Zed's settings.json is easier to read and edit) which makes me wonder whether Zed's devs care about security at all.