NPM ecosystem: Should we decouple?
Problem/Opportunity Statement
The NPM ecosystem is great-and-all, but do we really need all the problems associated with it?
According to The State of Open Source Security 2020 there are more than 1,300,000 packages on NPM!
Also:
- 52% of All JavaScript npm Packages Could Have Been Hacked via Weak Credentials
- Hacking 20 high-profile dev accounts could compromise half of the npm ecosystem
- Ryan Dahl’s Biggest Regrets About Node.js
- Etc.
Electron is our biggest anchor to the Node.js world. Once we remove Electron we might be able to sever that link completely, or at least reduce our exposure.
We could look at elm-tooling instead:
Why install Elm tools using
elm-toolinginstead ofnpm?Installing
elm,elm-formatandelm-jsonusingnpmandelm-tooling:
Metric npm elm-tooling Number of packages 70 1 node_modules/size45 MB 120 KB Installation time 9 s 2 s Re-installation time 9 s 0.5 s Processing Sequential Parallel Download verification None SHA256
See:
- Why install Elm tools using
elm-toolinginstead ofnpm? -
Is elm-tooling forever locked into the npm ecosystem?
- TLDR; No.
What would success / a fix look like?
- No NPM packages required
- If that's not possible now, then orders of magnitude fewer NPM packages would be great (currently we have 566 packages in
package-lock.json)