Comment by pier25
Would you rather use an officially maintained solution or some random package by a random author who might abandon the project (or worse)?
Would you rather use an officially maintained solution or some random package by a random author who might abandon the project (or worse)?
Indeed but I was arguing about a general point.
I'd be surprised if any of your Node projects had less than 100 total deps of which a large number will be maintained by a single person.
See Express for example. 66 total deps with 26 deps relying on a single maintainer.
https://npmgraph.js.org/?q=express
But even in the case of the official aws-sdk they recently deprecated v2. I now need to update all my not-so-old Node projects to work with the newer version. Probably wouldn't have happened if I had used Bun's S3 client.
So let's put every package under the sun into the client?
This approach does not scale. We should make NPM better.
How do you make NPM better?
BTW I'm not saying we should kill NPM. What I'm saying is we should reduce our dependance on random packages.
Bun doesn't need to add everything into the core engine. Eg: when using .NET you still add plenty of official Microsoft dependencies from Nuget.
- NPM could migrate to reproducible builds of artefacts
- Trust could be opt-in by default
- Dependency installation could be made fully reproducible
The S3 packages on NPM are maintained by AWS