Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
IT

Is npm Enough? Why Startups Are Coming After This JavaScript Package Registry (redmonk.com) 21

The JavaScript package world is heating up as startups attempt to challenge npm's long-standing dominance. While npm remains the backbone of JavaScript dependency management, Deno's JSR and vlt's vsr have entered the scene with impressive backing and even more impressive leadership -- JSR comes from Node.js creator Ryan Dahl, while npm's own creator Isaac Schlueter is behind vsr. Neither aims to completely replace npm, instead building compatible layers that promise better developer experiences.

Many developers feel GitHub has left npm to stagnate since its 2020 acquisition, doing just enough to keep it running while neglecting innovations. Security problems and package spam have only intensified these frustrations. Yet these newcomers face the same harsh reality that pushed npm into GitHub's arms: running a package registry costs serious money -- not just for servers, but for lawyers handling trademark fights and content moderation.
This discussion has been archived. No new comments can be posted.

Is npm Enough? Why Startups Are Coming After This JavaScript Package Registry

Comments Filter:
  • I hate fucking around with package managers, but that's because I hate fucking around with packages. They call it "hell" for a reason. The only thing worse than having to fuck around with a package manager is having to fuck around with TWO package managers.
    • It's both a celebration and a destruction of open source as a concept.

      You can publish any sort of tool for others to use in their projects easily, and on the other side you can find a tool for almost anything you need. But the idea of just changing the code you fetch to suit your needs has become an extremely difficult problem to solve. You can't just go edit the code to fix it for your case and push it to your team's repo, and send a patch to the owner if you think it helps.

      No. Now you gotta go up to th

      • >You can't just go edit the code to fix it for your case and push it to your team's repo, and send a patch to the owner if you think it helps.

        Actually, you can, and I've had to do it (sadly more than once). You can:

        * patch the code in the `node_modules` on your server (and be careful about not letting `npm i` overwrite the fix)
        * copy the code (from node_modules) into your project, modify it, and change all your imports to reference it there
        * you can do a true fork (of the original project), modify it, b

        • That strategy only holds until you need to install a security update for one of the other packages, then, sorry, you're fucked, the dependency tree is ruined.

  • by ArchieBunker ( 132337 ) on Thursday February 27, 2025 @11:48AM (#65198841)

    How on earth did anyone ever write code before the advent of these always connected library collections?

    • You downloaded the libraries manually. As the repositories became more popular, and there was more cross-library code reuse, it required downloading more and more libraries individually. So the package manager was born.

    • Re:A question (Score:4, Informative)

      by DrXym ( 126579 ) on Thursday February 27, 2025 @03:54PM (#65199461)

      I've developed C and C++ for decades and the answer to that was you downloaded some random distribution of the thing you depended on and then you lashed everything together with string. Because different projects tended to be built in different ways and you had to coral the dependencies to build and link with your own compilation flags and link settings and it was all a massive pain in the ass. Consequently when you got things working you were averse to upgrade or change things because of the inherent time cost. As time went on, software got more complex so the need to use external libs for UI, crypto, web, database etc. just gets more and more involved. Things like CMake made life easier but it was still unpleasant. Then conan or vcpkg appeared up to add dependency management which made things slightly easier.

      But bottom line, life in languages without package management is bullshit. Be glad if your language toolchain has package management. That isn't the end of concerns of course. Packages come with their own risks in terms of security or breaking changes, so nothing is set it and forget it. Modern package managers attempt to mitigate some of the risks with audits, security checks etc. but there is still a risk that a rogue package 3 dependencies deep from your layer has been compromised. The "best of both worlds" would be toolchains that have secure repositories for convenience but allow devs to lock things down and use local snapshots or git hashes as deps if they prefer.

  • waste (Score:4, Interesting)

    by cen1 ( 2915315 ) on Thursday February 27, 2025 @12:41PM (#65198905)
    NPM single-handedly wasted millions of hours of developer time troubleshooting ridiculous issues and took us back at least 10 years by introducing the whole web cancer and JS dependency hell. Change my mind.
  • by Dracos ( 107777 ) on Thursday February 27, 2025 @01:56PM (#65199105)

    Has the package manager it deserves. It is a reflection of the language's community.

    NPM is:

    • One part "package" "manager" (for very loose definitions of both)
    • One part language shims
    • One part code snippet landfill

    More JS package managers won't fix anything. All the problems stem from what the JS community considers to be a package, and that in JS world DRY actually means desiccated.

    No other language's community would sincerely entertain the notion of an is-even package.

  • by Midnight Thunder ( 17205 ) on Thursday February 27, 2025 @02:22PM (#65199189) Homepage Journal

    The NPM site needs to improve and do a bit in terms of quality control. My items:

      - Preventing publishing packages with no linked website or README.md
      - Prevent duplicate packages which are just referring to the same GitHub repo (currently they don't seem to care)

  • by zkiwi34 ( 974563 ) on Thursday February 27, 2025 @03:03PM (#65199301)
    Should be consigned a speedy and horrible death. But I guess all this JavaScript is the best there is, yet... maybe it all needs a serious bit of rethinking, duels to the death etc

"Any excuse will serve a tyrant." -- Aesop

Working...