upvote
I am actually pushing our frontend devs to remove more and more dependencies and leverage LLMs to just write the code instead of all the dumbass packages in hellscape of supply chain attacks via node/npm.
reply
You are signing up for another hellscape of unmaintainable slop. Enable package cooldowns and only whitelist internal packages and you are better off than 90%
reply
You act like the existing packages being published in this ecosystem aren’t already slop or quickly getting there.

We already do cooldowns and disable preinstall and postinstall scripts on all packages except for ones that actually require it.

I bet if you looked at 70% of your dependencies pulled in, you would be horrified. I would rather have that capabilities via code in my repos at this point.

reply
How do you bundle web workers that import dependencies? iirc the issue in esbuild for that is still open and users are manually building their workers as separate entry points, which is very fragile.
reply