You can’t avoid it but I think that my feelings about this technology are more biased against the developer environment and not by the technology itself.
I am a browser extension developer for Firefox and Chrome, also I talked about it at the Fosdem Mozilla devroom for years and created projects that helps FOSS communities.
I think that my hate grown before WordPress adopted React (with the famous discussion about the license) and the power of this project let to change the license from BSD to MIT as Apache foundation rejected projects that was using it. Maybe because the Gutenberg project in WordPress started in the wrong way and is still creating troubles inside the community.
But with a title like this the reaction is like this:
In this case NPM needs a computer with good resources or is not able to elaborate the dependence tree. At same time APT, PIP, GEM in the same machine doesn’t have any issues.
Every JS developer knows the reality is:
So I fixed my headache in this recent case with adding a parameter to disable NPM execution for the WordPress develop version so I am able to contribute to the rest.
I had to use NPM as it is used by the official project so no Yarn but could be a valid test to do.
I also released years ago a package on NPM so I know how works.
What is the point?
I wrote this article after reading this article, but let me do a recap for you.
In January 2022 a news created an earthquake in the JS community as two of the most used packages (20 millions weekly downloads)
faker.js were hacked by the same creator/maintainer.
In the attempt to protest about the fact that big companies are using his projects without money compensations to him he broke those packages.
Years ago was the case of the leftpad package that was the base for tons of other packages in Nodejs.
For both those cases Github or NPM had to remove the ownership to the creator of the package and remove the “bad” packages and put the last one with no issues. Basically like a dictator but if you don’t read the license terms (honestly I didn’t).
So today another nodejs package
node-ipc was changed to delete randomly files if detects that you are based in Russia or Belarus using the external ip address.
Another things that often is forgotten is the Dependency Supply Chain, that is happens often. Basically if a private package is used and is not registered in NPM (as example) is possible to create a custom harmful public one and get the priority on downloading. So it is possible to replace a dependency by other people.
I don’t remember in years all those cases of libraries or other packages so much harmful by creators itself for cases outside the vulnerability scope.
Honestly I think that the issue is right here, in other languages and ecosystem the developer is more conscious of the ethics and the impact that his work could have on the rest of the world.
Another fact that maybe is not so important, is that often those developers never used FOSS tools apart the one they use to develop.
This behaviour I don’t know if helps the FOSS world as in this way the technology is saw more for
amateurs and not for
At same time I don’t think that will help those big companies to invest money to contribute to FOSS for their secure reasons as they have no idea about what they are talking about often.
Following the pyramid of Open Source scheme, I think that they care only for the fundamental and not about the rest.
What you can do?
Contribute to the open source, the right way. I never thought that this discussion was a way to promote by free and open source book about my experience in Open Source in any role (developer, translator, supporter and so on).
It is time to do the things not just for doing it but just also in the right way, and to be conscious of the power of the people in FOSS.