Hacker News new | past | comments | ask | show | jobs | submit login

I'm curious: why is it bad? I very, very rarely have to delve into my node_modules folder to take a look at something.



You should take a proper look once, you'll be amazed at all the different modules implementing the same functionality over and over again (e.g. globbing, promisifying, or the myriad of `is-*` single-function packages).

Why is that bad? It's a huge waste of effort, increases the burden on anyone who's maintaining a package using those micro-libraries, and will guarantee more unpatched security vulnerabilities and unmaintained packages in the long run.


The leftpad fiasco (which I believe NPM has now mitigated), and the recent security issue where a certain popular package was uploading any passwords it found showed the current dangers with NPM.


The lesson from left-pad should have been to vendor all your deps rather than bet your org on third parties with no SLA commitment to you.


I'm not arguing about the security of NPM, rather the idea that multiple modules is a bad thing.




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: