npm is the WORST MISTAKE THAT HAS EVER HAPPEND TO SOFTWARE ENGINEERING. I HATE IT AND I REGRET EVER READING ITS DOCUMENTATION, SO MUCH WAISTE OF TIME ON ABSOLUTE JUNK

Works on my machine and my 30 or so production node servers /shrug

Long live composer ! Long live php !

I, too, hate NPM and what it encourages.

It's continually buggy, and strongly encourages the mindset that "other people's code is always better."

Cmon guys it ain't that bad..

@Hubot-0x58 Someone removed their leftpad package and broke much of the internet. 😅

Seriously, who couldn't write a leftpad function? That's like a first year CS problem. And what about depending on little packages that will be abandoned at some point?

You shouldn't write everything yourself, of course: reinventing the steam engine is modestly difficult, but the wheel? bloody trivial. Feel free to "reinvent" it.

But another issue:

There are very real security concerns with using other people's packages. If a project is 10% your code, what is the other 90% doing? To illistrate this with a bit of a strawman: I could easily obfuscate code to steal users' data and mask that behavior from developers, and publish it as a useful-looking npm package. I could write it to only steal data in production, on Thursdays, at random intervals, while the dev tools are closed; detecting it would be nearly impossible. Furthermore, the readable released source doesn't have to match the compiled and minified package, either, so examining its repo wouldn't help. If I convince other devs to include this utility package in their packages, the NPM mentality will eventually have my nefarious package included in large, widely-used projects, and silently stealing the data of millions of users.

Possible? Absolutely.
Difficult? Less than you'd think.

@Root heh that's like the software version of those Chinese chips 😂😂.

Scary how fragile the world actually is when you think about how you could break it

@CodeBane Everything can be broken and exploited given enough time and effort. That's why the best security people are ex-criminals/hackers/etc. 😋 They know what to look for, and more importantly: how to think.

@Hubot-0x58 Honestly, that's about it. Some common sense too: filesizes that sound right, inspecting rendered pages, etc. Also doing a secondary analysis in production since code behavior changes past the boundary. (I'm thorough/paranoid when it comes to bugs and quality testing, so this is my usual anyway)

The world is a scary place, especially when you blindly trust others and their work.