Is there really a problem with NPM use?

Short answer: no.

Long answer: it’s complicated.

I am nothing but thankful for the tonnes of NPM packages. I would never have built web applications that could support thousands of users all by myself without all those hundreds of packages. There are thousands of developers (if not millions) who do much better than what I could.

With NPM to support what I do - I just identify the right solution, search in NPM / GitHub, and most of the times find it. At least I find something in the general area of what I am looking for.

I am in awe with the power of NPM - it is just amazing.

But, that also makes things a bit weird and flaky.

NPM packages are built using other packages as well. The dependencies include millions of packages that may or may not be maintained.

Then there are people like myself who can blindly go blindly with packages just because we trust someone else rather than ourselves.

While most developers are passionate and do an excellent job - the lack of direct recognition, low compensation for the developers’ wonderful work, or boredom drive away a few. The packages lose focus and that can lead to cascading issues.

For e.g.,

• We have the isobject package that 3.8M packages depend on. The package may have started for a purpose but now we just can do the same thing in Javascript with a single line (using exactly the line included in the package - I am not making it up).

  1	return val != null && typeof val === "object" && Array.isArray(val) === false;

• It only gets more serious from there - there was malicious code introduced in event-stream package by a new maintainer. The code aimed to attack users of a particular software that dealt with bitcoin and steals all bitcoin. The incident was widely reported and shows what could have happened many times over. We luckily had really smart people who jumped to help, and helped out the community.

The problems are not specific to NPM - I get that. NPM just happens to be singled out since it is so popular and huge. Never in history we had such a big repository of code, and bad apples tend to be a part of the story some time or the other.

But, at the same time that statement doesn’t offer any solace. Building something on shaky ground can lead to catastrophe if the “something” is crucial for the well-being of humanity.

I am scared. What can I do?

Well, I can speak for myself - I don’t see a sensible way out. NPM is great for the community and we can go from strength to strength standing on shoulders of giants. Your mileage may vary depending on your situation.

A somewhat workable plan to mitigate big issues in the short to medium term when using NPM -

1. Always use native capabilities whenever you can. Create your libraries and reuse them across projects
2. If you are part of an organization, consider private repositories and packages
3. Always refer to exact version in your apps in package.json. Any updates and upgrades can be manually controlled
4. Don’t upgrade to latest and greatest in your sensitive apps. This is true especially if you are part of an enterprise

Doing this can potentially increase your work, but help in more defensive programming in an environment that you don’t control.

In the long term:

1. invent a new programming language with a new programming paradigm
2. have AI write programs and AI write other AI. Get yourself another job