Comment by skydhash
JavaScript is actually fine as the warts have been documented. The main issue these days is the billions of tiny packages. So many people/org to trust for every project that uses npm.
JavaScript is actually fine as the warts have been documented. The main issue these days is the billions of tiny packages. So many people/org to trust for every project that uses npm.
The point is that Zed's developers have chosen to include prettier, which probably transitively includes many other NPM packages.
Node and these NPM packages represent a large increase in attack surface for a relatively small benefit (namely, prettier is included in Zed so that Zed's settings.json is easier to read and edit) which makes me wonder whether Zed's devs care about security at all.
Nobody is forcing you to use the tiny packages.
The fact that the tiny packages are so popular despite their triviality is, to me, solid evidence that simply documenting the warts does not in fact make everything fine.
And I say this as someone who is generally pro having more small-but-not-tiny packages (say, on the order of a few hundred to a few thousand lines) in the Python ecosystem.