Let’s learn from other’s mistakes instead of repeating them. Specifically, the debacle that is node.js / npm. See the following two recent train-wrecks:
The first one is the infamous left-pad: This was an essentially 10-line package that got pulled in as a transitive dependency into unholy amounts of code. At some time, the maintainer “unpublished” this package over some not relevant scuffle, and giant parts of the ecosystem broke down (unsatisfiable dependencies).
The second one is more recent and still unfolding: A less ridiculous package got used as transitive dependency in a lot of packages (2 million downloads / week, almost 1600 directly dependent packages and who knows how many indirect reverse dependencies). At some point, the original author passed maintainership, due to lack of interest. The new maintainer promptly backdoored the package. This was discovered today, after 2+ months.
Let us reflect for a moment on what we can do better, especially before practices that turn out to be harmful get entrenched.
Typical linux distributions have their act together: Failure on such a monumental scale is rare. Node.js / npm does not have its act together.
This is not about bad actors, or failure of judgement when passing on maintainership, or failure of judgement when pulling in dependencies. I don’t even think that this is a technological failure. Human error is a symptom of a fragile system.
We want a system / community / package manager / ecosystem that accounts for lazy programmers and human error.
I’m not against the existence of footguns; I’m against the path of least resistance being a loaded footgun. I’ll post my own thoughts on what to learn below, in a couple of minutes. But I think this issue is worth discussing from more viewpoints than just my own, especially since there are much more experienced people around.