Not entirely the usual fare, but i figured some here would appreciate it

I often rag on the js/node/npm ecosystem for being utter garbage, and this post is a quite a full demonstration of many of the shortcomings and outright total design failures present in that space

  • gerikson@awful.systems
    link
    fedilink
    English
    arrow-up
    11
    ·
    8 months ago

    The commenters on HN and lobste.rs are generally on the side of the package creators, with the view that NPM is run by GitHub, who is owned by Microsoft. All this is true, but it doesn’t follow from that that the NPM people are paid fuck-you money. I suspect they’re understaffed, and overworked, and that this stunt didn’t make them very happy.

    Although in retrospect, not anticipating that some rando would try to depend on everything in the repository seems like a naive view on human nature.

    • V0ldek@awful.systems
      link
      fedilink
      English
      arrow-up
      7
      ·
      edit-2
      8 months ago
      1. If they are understaffed - Microsoft is trying to sell itself as OSS friendly, so they have absolutely zero excuse for not putting enough resources into something this load-bearing and this historically shitty.
      2. If they are well-funded, what the fuck is that money being spent on, ChatNPM?
      3. Npm was acquired by GitHub in 2020. It has been an utter dumpster fire for its entire history. Being acquired by Microsoft doesn’t absolve you from having created the tool Satan the Lord of Hell will use to break the Seventh Seal and bring upon a thousand years of darkness upon humanity.
    • froztbyte@awful.systemsOP
      link
      fedilink
      English
      arrow-up
      5
      ·
      8 months ago

      there’s probably a few people trying this in every other language ritenao

      guess we’ll find out in a few weeks!

      • Deborah@hachyderm.io
        link
        fedilink
        arrow-up
        6
        ·
        8 months ago

        I mean, do any other package managers work this way? Pypi disallows complete removal from the index to prevent malware namesquatting, but nothing in pypi as a tool requires dependencies exist or be functional.

          • froztbyte@awful.systemsOP
            link
            fedilink
            English
            arrow-up
            4
            ·
            8 months ago

            I know pypi is a bit more responsive to issues (having seen it happen, and seen on irc how the people think about things). on the rest I haven’t really been close to things for a little while because reasons

            android/dart seems to give me “google or someone will intervene” vibes. not sure about the wider maven ecosystem. the mental image of trying to deal with this particular problem in their usual suggested flows (which is extremely “click here and here in these 5 menus. we’ll only mention the places by name, fuck you getting circles or screenshots.”) strikes me as though it may cause a hundred million wails crying out at once

  • Deborah@hachyderm.io
    link
    fedilink
    arrow-up
    11
    ·
    8 months ago

    I kept stopping while reading to rant about how each turn of the story reinforced my notion that the npm ecosystem will be first up against the wall when the revolution comes.

    • Deborah@hachyderm.io
      link
      fedilink
      arrow-up
      14
      ·
      8 months ago

      Can’t uninstall if you’re anyone’s dependency? That’s a social problem; if an underlying package goes away or breaks, then yes, the downstream packages need to update (and JS needs a frickin stdlib so people stop importing 12-line string formatters).

      Can’t uninstall if you’re someone’s wildcard dependency? That’s a bug.

      Can’t uninstall if you depend on self? Massive bug.

      The kik naming thing? I find package namespacing irritating but it solves that problem.

  • Architeuthis@awful.systems
    link
    fedilink
    English
    arrow-up
    11
    arrow-down
    1
    ·
    8 months ago

    An interesting read in general but the writers proclaiming themselves ethical hackers in the opening paragraph only to turn into wittle birthday boys as soon as it turned out their uh experiment caused major disruptions was mildly off putting.

    • Deborah@hachyderm.io
      link
      fedilink
      arrow-up
      16
      arrow-down
      2
      ·
      8 months ago

      Until I got to the end, I actually assumed “we’re ethical hackers” meant that they were aging X-ers who’d been aspiring to some Cult of the Dead Cow shit since they were script kiddies in the 90s, not “we’re literally children”. I legit didn’t realize the Youth still talked that way; it’s off putting but almost reassuringly anarchist. Be gay, do NPM crimes, kids!

      They definitely overreacted to github’s scold, though.

      • froztbyte@awful.systemsOP
        link
        fedilink
        English
        arrow-up
        8
        ·
        8 months ago

        I’d want to see what happens if they take github to task on parts of that response, tbh - too many companies get away with that kind of overblown bullshit (usually because legal team asymmetry)

    • froztbyte@awful.systemsOP
      link
      fedilink
      English
      arrow-up
      7
      ·
      8 months ago

      when I first did this for a project a couple of years ago, the github api endpoint for this sucked extremely bad. I no longer remember all the details but it was something like 3 different sets of things you had to get to make sure you had somewhat of a full picture. might be better these days. and even then it’s still only the first piece in the puzzle

      but yeah, by and large a rather extreme percentage of the modern industry is extremely dependent on a vary narrow scope of SPoFs, and may are clueless about how to even approach this. 2 decades of computer-renting, yay!

      • Deborah@hachyderm.io
        link
        fedilink
        arrow-up
        6
        ·
        8 months ago

        In the micro, it’s usually the correct choice to have SaaS everywhere. I don’t mean the anti-labor parts like “outsource your entire [X] department to a SaaS product”, but for infrastructure? Akamai, azure, AWS, google, cloudflare, etc. are all vastly more qualified, because of scale, to manage the threat landscape. And once you’re in that ecosystem why not tie yourself into it tighter and tighter? The next thing you know US-East-1 goes down & your entire crisis mitigation system is busted.

  • V0ldek@awful.systems
    link
    fedilink
    English
    arrow-up
    3
    ·
    8 months ago

    Okay, I might be brainfarting here, but… why is blocking _un_publishing such a big deal? I understand that it might be annoying, but this talks about it like it broke the fucking system, as if it was as important as actually publishing packages.

    How often do people in JS world unpublish packages?

    • froztbyte@awful.systemsOP
      link
      fedilink
      English
      arrow-up
      4
      ·
      8 months ago

      seems like a perfectly normal thing to do to me. maybe you uploaded it under the wrong account, or licensing change, or need to do a security- or danger-related retraction, or …

      hell, maybe you just changed your mind! that’s allowed too! or should be

      • V0ldek@awful.systems
        link
        fedilink
        English
        arrow-up
        3
        ·
        8 months ago

        I totally get that it’s a normal thing and it is a disruption of service, but it doesn’t strike me as “everybody freak out”.

        If, say, Lemmy stopped you from deleting your comments for 24h few would even notice.

        • earthquake@lemm.ee
          link
          fedilink
          English
          arrow-up
          5
          ·
          edit-2
          8 months ago

          I am guessing* that the “everybody freak out” part happened when the extent became evident and everyone realized all of npm was suddenly unpublishable, not so much because everyone individually freaked out individually immediately.

          *extrapolating from the NPM community being described as frustrated but mostly forgiving.