Hacker News new | past | comments | ask | show | jobs | submit login

I doubt that any solutions which start off as “let’s change the whole universe” are going to get very far.

Yes, the situation sucks. I just looked at the frontend of a relatively small app we use for administration, and it depends on almost 5000 node modules versions. But this problem needs to be dealt with as soon as possible, and I don’t think that a fundamental change in development culture—making everything harder for developers in the process—is going to help.

5000? Wow. That's gotta be a pretty sizable fraction of the entire Node library ecosystem. Does it count duplicates?

With a dependency forest that large, it's small wonder that not more JS projects aren't compromised by bad dependencies...

Create React App is pretty popular and it has 36k dependencies. That’s not saying everyone using it ships every one of those but that’s definitely a LOT of people who could potentially introduce malware, often with a fair chance of it being deniable.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact