Has anybody tried NodeGUI or Proton Native on librem5? They’re both Qt-based. Should they work?
I’d rather use GTK because it’s more ‘native’ to librem5 and GNOME, but I want to use a particular JavaScript library for which there’s really no practical alternative right now. That has npm dependencies, and GTK + npm at the moment seems basically unsupported (I know there’s GJS efforts of some kind, but it’s not there yet, and also node-gtk, but it seems like a one-man-band right now – I wish them well, but it’s not for me, yet). Plus it might be nice to use React, and though there’s a react-native-gtk, I think that’s abandoned for the moment, perhaps in part because of the npm situation.
Just a sidenote about using NPM: Disable scripting using ignore-scripts (at least on npm install) whenever possible. Otherwise you seriously risk a malware-script being automatically processed unnoticed in the background.
I’m with you @ajlok , npm is terrible. I don’t think ignore-scripts can fix that, because you’re still going to be running an unknown pile of JS through the byzantine dependency graph that is npm. There is a small community out there actually who actually do know how to fix it and have done some great work in that direction, here’s an article from that camp:
Caveat: I haven’t read this specific article, but I’m familiar with the content, and Kate Sills is certainly well-positioned to get it right, working with Mark Miller at agoric.com, and I’ve seen him post approvingly about her writings.
The article does not suggest fixing the dependency hell that NPM has, it only talks about limiting permissions for NPM packages. While a good cause, the NPM dependency hell has more issues than just security.
Absolutely. Memory usage, complexity, security (whether capabilities or not, though they’re crucial and help a lot even without other measures).
But the npm ecosystem has important things in it, too – for example, Martin Kleppmann’s automerge, Mathias Buus’ hypercore – and fixing it is not the only important problem to solve. We also want to achieve usable decentralisation and security - which leads to a whole web of tricky problems. So fixing it from within to some extent seems necessary (not that it can never be replaced, but plenty of fixing-from-within is needed).