The Disruptive power of NPM developers for the Open Source brand

I don’t like JavaScript, but I have to use it.

Introduction

JavaScript is one of the few technologies that you have to handle anyway in the web and you can’t change it to another. TypeScript, CoffeeScript and so on are transpiler but at the end you need to use browser or other tools that will help you to debug a JavaScript application generated by them.

You can’t avoid it but I think that my feelings about this technology are more biased against the developer environment and not by the technology itself.

I am a browser extension developer for Firefox and Chrome, also I talked about it at the Fosdem Mozilla devroom for years and created projects that helps FOSS communities.
I think that my hate grown before WordPress adopted React (with the famous discussion about the license) and the power of this project let to change the license from BSD to MIT as Apache foundation rejected projects that was using it. Maybe because the Gutenberg project in WordPress started in the wrong way and is still creating troubles inside the community.

Anyway in 2019 I wrote an article You cannot use JavaScript for everything.

But with a title like this the reaction is like this:

But if I think the last time I lost a lot of time with JavaScript is few days ago with NPM:


In this case NPM needs a computer with good resources or is not able to elaborate the dependence tree. At same time APT, PIP, GEM in the same machine doesn’t have any issues.
Every JS developer knows the reality is:

So I fixed my headache in this recent case with adding a parameter to disable NPM execution for the WordPress develop version so I am able to contribute to the rest.

I had to use NPM as it is used by the official project so no Yarn but could be a valid test to do.

I also released years ago a package on NPM so I know how works.

What is the point?

I wrote this article after reading this article, but let me do a recap for you.

In January 2022 a news created an earthquake in the JS community as two of the most used packages (20 millions weekly downloads) colors.js and faker.js were hacked by the same creator/maintainer.
In the attempt to protest about the fact that big companies are using his projects without money compensations to him he broke those packages.

Years ago was the case of the leftpad package that was the base for tons of other packages in Nodejs.

For both those cases Github or NPM had to remove the ownership to the creator of the package and remove the “bad” packages and put the last one with no issues. Basically like a dictator but if you don’t read the license terms (honestly I didn’t).

So today another nodejs package node-ipc was changed to delete randomly files if detects that you are based in Russia or Belarus using the external ip address.

Another things that often is forgotten is the Dependency Supply Chain, that is happens often. Basically if a private package is used and is not registered in NPM (as example) is possible to create a custom harmful public one and get the priority on downloading. So it is possible to replace a dependency by other people.

The point

I don’t remember in years all those cases of libraries or other packages so much harmful by creators itself for cases outside the vulnerability scope.
I see this issues only on the JavaScript ecosystem and if someone has examples also in other I would be happy to add it here.

Honestly I think that the issue is right here, in other languages and ecosystem the developer is more conscious of the ethics and the impact that his work could have on the rest of the world.

Another fact that maybe is not so important, is that often those developers never used FOSS tools apart the one they use to develop.

This behaviour I don’t know if helps the FOSS world as in this way the technology is saw more for amateurs and not for professionals.

At same time I don’t think that will help those big companies to invest money to contribute to FOSS for their secure reasons as they have no idea about what they are talking about often.
Following the pyramid of Open Source scheme, I think that they care only for the fundamental and not about the rest.

What you can do?

Contribute to the open source, the right way. I never thought that this discussion was a way to promote by free and open source book about my experience in Open Source in any role (developer, translator, supporter and so on).

It is time to do the things not just for doing it but just also in the right way, and to be conscious of the power of the people in FOSS.

UPDATE:

STOP the WAR in Ukraine, Russia!

Liked it? Take a second to support Mte90 on Patreon!

Leave a Reply

Your email address will not be published. Required fields are marked *