Just a sidenote about using NPM: Disable scripting using ignore-scripts (at least on npm install) whenever possible. Otherwise you seriously risk a malware-script being automatically processed unnoticed in the background.
I’m with you @ajlok , npm is terrible. I don’t think ignore-scripts can fix that, because you’re still going to be running an unknown pile of JS through the byzantine dependency graph that is npm. There is a small community out there actually who actually do know how to fix it and have done some great work in that direction, here’s an article from that camp:
Caveat: I haven’t read this specific article, but I’m familiar with the content, and Kate Sills is certainly well-positioned to get it right, working with Mark Miller at agoric.com, and I’ve seen him post approvingly about her writings.
The article does not suggest fixing the dependency hell that NPM has, it only talks about limiting permissions for NPM packages. While a good cause, the NPM dependency hell has more issues than just security.
Absolutely. Memory usage, complexity, security (whether capabilities or not, though they’re crucial and help a lot even without other measures).
But the npm ecosystem has important things in it, too – for example, Martin Kleppmann’s automerge, Mathias Buus’ hypercore – and fixing it is not the only important problem to solve. We also want to achieve usable decentralisation and security - which leads to a whole web of tricky problems. So fixing it from within to some extent seems necessary (not that it can never be replaced, but plenty of fixing-from-within is needed).