I looked into npm's package.json file and discovered that npm is actually just a node.js package which has a lot of dependencies such as lodash. This means the situation that happened with left-pad package that broke a lot of npm packages could affect npm too.
I see that there is some tendency: pip is written in python, RubyGems in Ruby, Composer in PHP, Maven in Java and so on. But is it good to write a package manager in the target language?
More specifically npm was written using npm - JavaScript has nothing to do the npm leftpad incident. I can't imagine them not using their own product for several reasons:
- It's a tool for managing software dependencies. They must use one. Would you propose they use someone else's? Of course, if you trust your product you're going to use it yourself.
- The leftpad "incident" was a policy flaw more than a software flaw which they obviously did not predict or consider to be a serious concern until something serious happened. Therefore, why would this be a reason not to use npm.
- Of the hundreds of thousands of packages hosted it can't have happened too often or it would have been fixed long ago. That's quite impressive.
- It was pretty easy to fix just be updating the caching policy and so it's not a threat to npm.
- Other package management tools have had similar problems (or worse). For example, an entire maven repository went offline due to lack of funding. This is unlikely to happen to npm because it is centralized and there are many large stakeholders who are interested in making sure it stays up.
- Incidents like these make the ecosystem more stable and mature.
- Like all stories, this will blow over in no time.
Menu
801
