Comment by zahlman
4 days ago
Nobody is forcing you to use the tiny packages.
The fact that the tiny packages are so popular despite their triviality is, to me, solid evidence that simply documenting the warts does not in fact make everything fine.
And I say this as someone who is generally pro having more small-but-not-tiny packages (say, on the order of a few hundred to a few thousand lines) in the Python ecosystem.
The point is that Zed's developers have chosen to include prettier, which probably transitively includes many other NPM packages.
Node and these NPM packages represent a large increase in attack surface for a relatively small benefit (namely, prettier is included in Zed so that Zed's settings.json is easier to read and edit) which makes me wonder whether Zed's devs care about security at all.