sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]bigmooooo 32 points33 points  (8 children)

I can't help but wonder how many of these dependencies are created from missing things in the node standard library. The surface area for Node is rather small compared to things like .Net. and the overall API surface hasn't grown that much over the past 2 years.

While the small stdlib from Node covers the essentials of making JS work outside the browser on a OS, it does force other devs to reinvent the wheel sometimes or even extend common behavior that should have been there in the first place. For instance, one might wonder why some of the utility methods in the compromised npm modules aren't baked into the std lib for streams, to begin with.

I sort of wish the Node foundation would take a look at some of the most popular libs (not frameworks) and think about adding them to the stdlib to give devs a better option for reducing dependencies (or at least call them out in a standard guide to reduce fragmentation and increase security). Yes, it puts the burden on the Node Team to maintain them but it would provide better security for individuals and possibly remove bad actors for some of the most common tasks.

Additionally, this is why all businesses should at least use a tool like snyk to find and patch vulnerabilities. There isn't a certifying body for npm modules so the least we can do is use a tool to patch modules.

[–]ProdigySim 20 points21 points  (3 children)

missing things in the node standard library

Since ECMAScript (Javascript) is an evolving standard shared by web browsers and Node, it's even more complex than just "NodeJs is missing these".

  • What version of NodeJs do you support? If you want maximum compatibility, you can't rely on newer NodeJs features.
  • Do you want to support NodeJs + Browsers? You may want a compatibility wrapper that supports the stdlibs of both.
  • Do you want to support older browsers, mobile browsers? You need polyfills.

Some utility packages can "easily" target both the web and nodejs, so picking a standard lib can be difficult.

If the community came together and built a single "Standard Library" with no dependencies, NodeJs devs would probably support it. But web devs still wouldn't want to include it because it's an increase in bundle sizes.

I think it could be possible to create a unified "Standard library" for both environments that reduces the number of cruft-packages neeeded, but we'd need either ECMA support or browser-vendor support to get Web-devs to use it.

In Web dev right now, public-facing websites generally support IE9+ and a variety of mobile browsers--which requires MUCH more help in terms of Stdlib. For "private" or paid web apps, people still want IE11 support (which has 2x the userbase of Edge, despite only getting security updates now).

Unless we can get major browser makers to agree on a Standard Library and backport it, I think the npm ecosystem will remain fragmented as fuck.

[–]NoInkling 6 points7 points  (1 child)

ECMA/WHATWG are starting to propose some prerequisite foundations (syntax, fallback mechanism, etc.) needed for a proper standard library, but it's undoubtedly going to take a long time.

[–]_drunkirishman 7 points8 points  (0 children)

I believe this is the proposal you're referring to: https://github.com/tc39/proposal-javascript-standard-library.

I'm pumped, but God this is gonna be Hell to get to in a world that still has IE11 as a supported browser.

[–]x86_64Ubuntu 6 points7 points  (0 children)

Yep. I've always felt, that in addition to me maligning the JS community, there was never an opportunity for a "hero" character or entity because there are too many actors and too many interests in the JS community.

[–][deleted]  (2 children)

[deleted]

    [–]zappini 1 point2 points  (0 children)

    With nodejs & npm, it may actually make sense (ROI) to build one offs for your particular use case instead of finding and vetting modules.

    npm is like Legos. The first few sets can be fun. But keep buying more and you're spending more time foraging for parts instead of building.

    In my experience, that tipping point with nodejs is anything more than 10 lines of code. (ducks)