Comment by parliament32
3 months ago
Real registries do[1], npm is just amateur-hour which is why its usage is typically forbidden in enterprise contexts.
[1] https://www.debian.org/doc/manuals/securing-debian-manual/de...
3 months ago
Real registries do[1], npm is just amateur-hour which is why its usage is typically forbidden in enterprise contexts.
[1] https://www.debian.org/doc/manuals/securing-debian-manual/de...
In all fairness—npm belongs to GitHub, which belongs to Microsoft. Amateur-hour is both not a valid excuse anymore, and also a boring explanation. GitHub is going to great lengths to enable SLSA attestations for secure tool chains; there must be systemic issues in the JS ecosystem that make an implementation of proper attestations infeasible right now, everything else wouldn't really make sense.
So if we're discussing anything here, why not what this reason is, instead of everyone praising their favourite package registry?
The NPM team has repeatedly commented that it's "too hard", effectively, and would discourage new developers from publishing packages. See:
https://github.com/npm/cli/commit/5a3b345d6d5d175ea9ec967364...
I don't think I'd trust a package from a new developer like that, so this helps filter out people that don't know how to properly maintain a package. If they really want to make onboarding easier, saying "after e.g. 1000 monthly downloads, you'll need to sign your artifacts" is also a viable solution in my opinion.
The npm team is, frankly, a bunch of idiots for saying that. It has been obvious for TEN YEARS that the bar for publishing npm packages is far too low. That’s what made npm what it is, but it’s no longer needed. They should put on their big boy pants.
> discourage new developers from publishing packages
Good.
3 replies →
Yeah Microsoft would have bought or taken over npm just to train on all the data against peoples wills, not to actually improve or put any effort into making it better
It sure hasn’t been forbidden in any enterprise I’ve been in! And they, in my experience, have it even worse because they never bother to update dependencies. Every install has lots of npm warnings.
[flagged]