Node Packages and the Node Package Manager
- What we get on any given NPM install is not known fully, way too many dependencies.
- What we get security wise is not known as there's no security certification rules, we get literally anything someone wants to inject.
- There's no guarantee that any package we use has any future maintenance in mind.
- NPM Install uses the Package-lock file. This reduces our chances of getting what we want unless we know how to deal with it, like delete the package-lock file.
- NPM clean-install works but due to package-lock file, what we get can be different than what we want.
- Gaining full knowledge of NPM Installs, packages and package-lock files is an obscure art. Things do not come to light until days or weeks of fiddling around and getting to know the secrets.
- The -D -g save options are confusing, instead there should be a -P for this project.
- Blowing away the node_modules folder either locally or globally just to regain control is crazy! Let the compiler tree-shake.
- Overall grade for NPM is a C- or D+. No professor would ever rate it higher knowing these potential nasty side effects.
Deno
- I can't grade it at all because my only knowledge is from reading what it does.
- I like the concept of security first.
- I like the concept of using URLs to point to a single library.
- I like the idea of getting away from Node.
- It makes me wonder do we need the 200mb of Node package baggage just to do things we should know how to do and have certified safe libraries ready to go?
There's too much to like about Deno and at least 3 strikes against NPM, question is, have you reached the bottom of the 9th? I'm at least in the bottom on the 8th myself.
Summary
Maybe it's time to break our Opium Addiction to NPM 3rd party packages outside of Angular, React and Vue (ok perhaps Material). Everything else should be our own reusable libraries. We can do this with NPM or we can use a Security first architecture named Deno.
JWP 2020
Top comments (2)
I'm not sure that Deno is the holy grail, I mean,
npm(oryarn) aren't that bad are they? 99% of the time it works pretty well and allows us to do powerful stuff ...And there's a reason for
node_modulesandpackage-lock.jsonand all that - it's to solve certain real-world problems (e.g. managing transitive dependencies) - how is Deno solving these same issues, or is it just not solving them?Npm isn't just doing complex things for the heck of it, it's to solve real problems. Show me that Deno is solving them in a better way, and we'll talk again :-)
I agree that when everything settles down after we've spent more than ample time getting just the right combinations, yes npm works great.
To say however that 200meg downloads are secure is false, big companies have swept this detail under the carpet.
One last point, I'm also a .Net person for last 20+ years. In that environment adding and removing packages is 99% better than NPM.
Even better is that .Net upgrades work first time 99% of the time.
Also, .Net imports are done one time one place at the solution level. The compiler is smart enough to use imports from one location.
The npm package community (including me)has been dumbed down to accept things as they are due to the allure of free software. It's lack of Security should put all corporate Security Experts into heart attack mode but oddly, it's ignored at the same time as implementing multi-form security, VPN Networks, Domain Level LDAP, and strict userid/password requirements.