why node.js makes me uncomfortable
I’ve always programmed with php for the web and during that time I’ve never needed to download packages (like npm) and update them. When I needed a specific function, like sending emails, uploading files or making my application drier, I just had to look at the documentation and implement it. But with node.js it doesn’t work like that, and that bothers me. If I’m wrong, please correct me
my biggest fear in all this is the malware spreading around :/
You’ve never had to do something outside of what is included in the PHP standard library? You’ve never used composer or included a third-party library?
You must dedicate a lot of time to writing things from scratch, things that are already solved (almost certainly better than you or I can ever do ourselves) and can be utilised by using a third-party library / module / package etc.
Node does take things to the extreme sometimes, but often packages are saving you hundred or thousands of hours a year, so you can focus on overall logic rather than creating an already existing tool for sending high-volume templated email, for example.
You never used Composer or the like and always built on bare code base? You never used libraries?
You can develop like that with nodejs and bun.sh as well. It’s just quite tedious just like in php.
You’re not wrong. Dependencies pulled directly from other developers get very little oversight compared to a language’s standard library. They introduce more opportunities for failure and increase the attack surface in your software. (The latter is at the core of the so-called supply chain attacks that have been in the news lately.)
To be fair, the problem is not unique to Node.js. Rust has it too, as does every other platform that encourages developer-to-developer library sharing.
The lesson is to be judicious with your dependencies. Look for the functionality you need in your language’s standard library first, and then in the standard software archive maintained by your target OS. (Packages that are officially part of the major Linux distros, for example.) If you can’t find it in either of those places, consider whether you truly need it, or whether writing a minimal implementation yourself would make sense.
In cases where you really must use some random person’s library, look for one that’s widely used, responsibly maintained, and ideally, small enough that you can keep track of its changes between versions. The responsibility for protecting your users is yours.
