> none of them seem to want to abandon npm which keeps getting exploited and hacked
replyDo you know of a better alternative for JS/TS that has all the popular packages?
Not perfect, but I use Verdaccio to run my own npm server and for third party deps, I clone, eval, and then if it's clean, push a safe copy to my own server (not for everything, just the most sensitive, hardcore stuff but eyeballing building a tool to semi-automate it due to recent chaos). You can even clone from remote URLs (point to a tarball from package.json instead of a version) so I've considered just using a private bucket.
replyTedious, but makes the "npm hacked again" posts mostly moot.
Also Rubygems, Packagist, PyPi
replyWhat's the worst hack to affect users of rubygems?
replyDHH, of course.
replyFrom my perspective it is a synthesis of "It is difficult to get a man to understand something, when his salary depends upon his not understanding it." and "but npm is the source of all the shiny shiny!".
reply