npm was a mistake.
-
npm was a mistake. the concept of pulling live dependencies that are not collectively managed by a QA team but each individually managed by many thousands of people with wildly varying skill and availability is inherently doomed to constant incidents.
@0xabad1dea Now you got me thinking.
Some of the package managers I have seen do not make an effort to expose a number of details I would think are important like the licence and owner of the package.
Sure, Nuget DOES support multiple repositories, but the developer still has to actively seek out information package by package. It also seems to be commom to publish into the public Nuget Feed, rather than different groups getting their own feed.
NPM takes it further by not having any silos, which also means no control or prediction. Instead of adapting these in during the Pad Left incident, and encouraging a system where you know who provides your shit, NPM just said "You can't take things down anymore."
Maybe we do need a completely new dependency management system.
