Reply to post: Re: Thames

How one developer just broke Node, Babel and thousands of projects in 11 lines of JavaScript

I am the liquor

Re: Thames

"1. Every platform uses some package manager hosted by some company. There's no reason why, say, RedHat is more trustworthy than NPM, Inc."

Better package managers, like NuGet or Ruby Gems, don't allow users to delete their packages once they've been published, precisely to prevent the problem that has happened here on NPM.

Of course even with those you still have the risk of your dependencies disappearing due to legal threats or other special circumstances. I've never really felt comfortable relying on pulling my build dependencies from a package manager, even if it is the recommended model with the likes of NuGet.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon


Biting the hand that feeds IT © 1998–2020