why node.js makes me uncomfortable
I’ve always programmed with php for the web and during that time I’ve never needed to download packages (like npm) and update them. When I needed a specific function, like sending emails, uploading files or making my application drier, I just had to look at the documentation and implement it. But with node.js it doesn’t work like that, and that bothers me. If I’m wrong, please correct me

#programming

  • ono
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    You’re not wrong. Dependencies pulled directly from other developers get very little oversight compared to a language’s standard library. They introduce more opportunities for failure and increase the attack surface in your software. (The latter is at the core of the so-called supply chain attacks that have been in the news lately.)

    To be fair, the problem is not unique to Node.js. Rust has it too, as does every other platform that encourages developer-to-developer library sharing.

    The lesson is to be judicious with your dependencies. Look for the functionality you need in your language’s standard library first, and then in the standard software archive maintained by your target OS. (Packages that are officially part of the major Linux distros, for example.) If you can’t find it in either of those places, consider whether you truly need it, or whether writing a minimal implementation yourself would make sense.

    In cases where you really must use some random person’s library, look for one that’s widely used, responsibly maintained, and ideally, small enough that you can keep track of its changes between versions. The responsibility for protecting your users is yours.