It's not even that I disagree, it's that it's a conversation killer. "The JS ecosystem is bad" has no response someone could make besides "no it's not", which is boring. "The JS ecosystem encourages using a million tiny unmaintained packages and that is bad" is a much more interesting statement that can spark a useful discussion.
This is an indication that the problem is either with some facet of NPM itself, javascript the language or js programmers, as that is what distinguishes the ecosystem from e.g. Maven or Pip that do not suffer from the same problems, at least not to the same extent.
However, going from this observation to isolating causal factors is a lot harder, and randomly guessing isn't very likely to hit the mark.
[1] claims that half of Python packages have security issues.
[2] says that the Rust supply chain has security issues.
just as two examples.
---
[1]: https://www.theregister.com/2021/07/28/python_pypi_security/
I'm not asking for solutions, and I'm not asking for people to identify casual factors. I'm asking for people to put a little bit more effort into their criticisms of the JS ecosystem than just "it's obviously and empirically a dumpster fire".
Not sure what your seemingly intended moderation is supposed to achieve but the complaints towards the JS ecosystem have been very clear for no less than 10 years.
If we look at the chart in the original article [0] that this one is a follow up to, the NPM spam suddenly picked up around the end of February, with new packages per day first doubling and then tripling. So this 70% figure is specific to the last 6 months, not something that has been the case with the ecosystem for a long time.
That makes tracing causality much simpler: the Tea protocol seems to be pretty clearly the source of the problem. The big open question is why NPM, but the way that people jump to the conclusion that NPM being the target of this attack must have something to do with the flaws in the ecosystem smacks of victim blaming. Isn't it just as possible that NPM was targeted because it's huge? If you're going to run a massive spam campaign you do it where the people are.
Could NPM learn from this and start controlling spam better? Yes! But That's not the same thing as attributing this tea.yaml nonsense to systemic flaws in the ecosystem—spam prevention has to be balanced with usability, and the balance was pretty decent until 6 months ago.
[0] https://blog.phylum.io/digital-detritus-unintended-consequen...
continuing on this, I wonder if this is a cultural thing or if there are actual technical choices made in NPM that play a role. Could NPM change something in their package management to change this? Should they?
to address the part of your comment that doesn't make my head spin: only very occasionally do i see senior Go developers import 3rd party libraries. i'm just speaking from my experience
Meaning curation falls outside it and should not be centrally and unilaterally enforced by gating the entry.
We seem to be handling the bloated .com DNS namespace just fine.
Instead, what it does have is a huge prevalence of those features, and minimal size of a "safe space" where one can have some confidence they will not appear. Both of those are quantitative differences, that people can not summarize in a short comment, and people can easily dismiss with (misguided or dishonest) counterexamples.
So, what you are asking for is a full blown large scale study of several ecosystems. Somebody may do something like that, but not for a comment, and not because you asked.
All ecosystems that are sufficiently popular have terrible problems. They have different problems, but none is consistently pleasant to work with. Out of all of them, though, JS gets singled out for constant attacks because... reasons.
I just want people to identify what those reasons are so we can have a conversation about them rather than just endlessly repeating the meme.
