Don't use anything you didn't write yourself. Problem solved.
Return of the JSedi: After being ousted from NPM Inc, former CTO is back with rival package registry Entropic
Tuesday 4th June 2019 21:15 GMT Anonymous Coward
time to troll
But all the cool kids are into pulling in random stuff from the internet for nightly builds. No hipster millennial has time to understand things like threading or even how a computer works at the hardware level. All about gluing whatever is the hot new frameworks, runtimes and libraries together and posting your web "developer" cred on social media.
Tuesday 4th June 2019 01:44 GMT Notas Badoff
Where is the "single source of truth"?
"Entropic is federated," Silverio explained. "You can depend on packages from any other Entropic instance, and ..."
How will this compare to the level of 'trust' I can have in Git repositories? A specific revision is trustworthy because it exists in multiple places and its instance can't be faked when multiple repositories can be sampled. And I can have reasonable assurance where the revision came from.
But a JS package, a collection of many historical _and_ recent revisions? How will this work? When practically every other spork has a flaw that lets something dribble down chins, can we be assured the technical aspects are as fine as the social slogans?
(and no, I am not defending NPM - I think they sporked the durian quite tine thank you)