The security stuff for NodeJS is really frustrating. If anything, NodeJS is more secure than something like the JVM or C++. If I include a 3rd party package in the JVM, I have absolutely no guarantee that it will work well, much like in Node. In fact, in Node, I can actually read the source code and see what the package is, running is doing. In nearly every other environment, you may simply have access to a binary, with maybe some interface info.
So why do people not throw the same kind of fit about nearly every other programming environment as they do for Node/NPM? And frankly why do those other environemnts not have the ridiculous security breaches we have seen in Node/NPM land?
The real problem with Node/NPM i suspect is a lack of a standard library. Simply having a standard library would have greatly reduced dependency and package hell. Further, a standard library would mean people would be more willing to write a little more code rather than include a new dependency.
Because in those languages:
. dependencies are carefully considered by users
. dependencies are not added recursively
. dependencies try to be dependency-free themselves to assist with the previous point
. dependencies are not blindly nor automatically updated
. dependencies solve important domain problems, they are not trivial one-line-functions
. dependencies are typically developed and tested by a known team or company, which you trust, not just someone random
. binaries can be signed
. support contracts are a thing
. etc etc etc...
This is 100% true especially stupid libraries that are someone's class project. And JavaScript developers are so used to dependency hell that one of my developer imported 3rd party package for date formatting.
JS's built in date formatting/handling is terrible and often do what needs to be one.
MomentJS may be a giant import, but it works an it works really well.
[1]: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Refe...