As if we haven't learned anything from the Left-pad debacle on November 26th the Javascript world was shaken once again.
A popular Npm library ...
For further actions, you may consider blocking this person and/or reporting abuse
Article was well written and thanks for the informative look at something important to know :)
I do take issue, though, with your assertion that installing dependencies without checking their source or github history is "lazy". The world of software, especially web, development is super competitive nowadays. If a client is demanding a tighter timeline, and a smaller budget... you have a choice; Cut the corner and get the job, or Go hungry -- because someone else will cut that corner.
I want to believe that the huge benefits and time-savings we've created are due to pressure, not laziness. Clients now demand excellent, hugely interactive, and fast experiences at the same price they've always paid. Where can you create that extra value if not at the development phase?
Hey Simon thanks for reading and thanks for the reply. I never said in the post that developers which don't check dependencies on Github are lazy, I said that developers who choose to install dependencies for even the most trivial things instead of writing a few extra lines of code are lazy. The perfect example for that is the left-pad library. :)
And I feel you, clients nowadays usually want everything for pennies done yesterday, but it is our responsibility to our industry to explain to them that they have 3 options but can only choose 2:
On this same note, I was talking with another dev the other day, that its incredible that you can't easily on npmjs.org sort repos by dependencies, nor easily see how many dependencies the repo's dependencies will pull in. It makes it very hard to make an informed decision about an individual module you want to include. It's very hard to tell if that lib you pulled in(or one its dependencies) will pull in the entire npm ecosystem and thus some nefarious lib.
Thanks for the reply and you are absolutely right!
I have become such a paranoid now when installing packages I never used before. I go into the GitHub to check the code. Then I even go to unpkg to make sure the code on GitHub is the same on NPM. 😂😂😂😂
Better safe then sorry ;)
Thanks for reading the post and your suggestion, it's done :)