Comment by thewebguyd
2 months ago
Why even put a package download count on it? Just require it for everything submitted to NPM. It's not hard.
2 months ago
Why even put a package download count on it? Just require it for everything submitted to NPM. It's not hard.
Because then it's extra hassle and expense for new developers to publish a package, and we're trying to keep things decentralized.
It's already centralized by virtue of using and relying on NPM as the registry.
If we want decentralized package management for node/javascript, you need to dump NPM - why not something like Go's system which is actually decentralized? There is no package repository/registry, it's all location based imports.
Decentralized? This is a centralized package registry. There is nothing decentralized about it.
oh right, good point, I wonder when somebody will just sue NPM for any damage caused. That's really the only way we'll see change I think.
Download counters are completely useless. I could download your package 2 million times in under a minute and cause you to need the 2FA.
And true 2FA means you can't automate publishing from github's CI. Python is going the other direction. There is a fake 2FA that is just used to generate tokens and there is a preferential channel to upload to pypi via github's CI.
But in my opinion none of this helps with security. But it does help to de-anonymise the developers, which is probably what they really want to do, without caring if those developers get hacked and someone else uses their identity to do uploads.
I don’t understand what benefits this kind of “decentralization” offers
Larger pool of people you can hack/blackmail/coerce into giving you access to millions of systems :)