Thank god for proxy registries. I love Node, but it’s like using a house of cards as the foundation of a skyscraper.
Comment on Why is the Node ecosystem so demanding?
ono@lemmy.ca 1 year ago
My take: It’s because the “trust everything from everybody” model is fundamentally broken.
Note that the “trust” here is not only about avoiding malicious or vulnerable code, but also about dependability. Even if you ignore the “supply chain” security problems inherent in this model, it practically guarantees that breakage like this will happen.
This is part of why I prefer languages with robust standard libraries, and why I am very picky about third party dependencies.
howlongisleft@lemmy.world 1 year ago
BrianTheeBiscuiteer@lemmy.world 1 year ago
The fact that NPM can’t use multiple registries (yes, I know about scoped registries) is astounding. For every other language my org will separate artifacts into half a dozen or so virtual repos. The artifact team is quite annoyed that Node/JavaScript has to all go into one uber-repo.
lemann@lemmy.one 1 year ago
I personally don’t trust NodeJS libraries that much - I always run projects inside Docker as a regular user with access to the working directory, just in case the supply chain is poisoned.
In the case of Python, particularly when I was testing out the LLaMA model, I just stood up a new VM for that. Back then safetensors wasn’t a thing, and the model tensor file format (python pickle-based) could potentially store arbitary code.
Robust standard libraries are amazing to have.
odbol@lemmy.world 1 year ago
What languages are those? And if you say C/C++ I’m going to laugh
planish@sh.itjust.works 1 year ago
The C++20 or so STL actually has things in it now.
kono_throwaway_da@sh.itjust.works 1 year ago
It’s been better but still has a long way to go though, particularly regarding string handling