NPM ecosystem: Should we decouple? (#478) · Issues · Exosphere / exosphere

NPM ecosystem: Should we decouple?

## Problem/Opportunity Statement The NPM ecosystem is great-and-all, but do we really need all the problems associated with it? ![node_modules_whyyyyy](/uploads/2970e117595ec59d6b4d732d0ae34e6d/node_modules_whyyyyy.png) According to [The State of Open Source Security 2020](https://snyk.io/open-source-security/) there are more than 1,300,000 packages on NPM! :head_bandage: Also: - [52% of All JavaScript npm Packages Could Have Been Hacked via Weak Credentials](https://www.bleepingcomputer.com/news/security/52-percent-of-all-javascript-npm-packages-could-have-been-hacked-via-weak-credentials/) - [Hacking 20 high-profile dev accounts could compromise half of the npm ecosystem](https://www.zdnet.com/article/hacking-20-high-profile-dev-accounts-could-compromise-half-of-the-npm-ecosystem/) - [Ryan Dahl’s Biggest Regrets About Node.js](https://waynemortensonblog.wordpress.com/2020/01/08/ryan-dahls-biggest-regrets-about-node-js/) - Etc. Electron is our biggest anchor to the Node.js world. Once [we remove Electron](https://gitlab.com/exosphere/exosphere/-/issues/463) we might be able to sever that link completely, or at least reduce our exposure. We could look at [elm-tooling](https://elm-tooling.github.io/elm-tooling-cli/) instead: > ## Why install Elm tools using `elm-tooling` instead of `npm`? > > Installing `elm`, `elm-format` and `elm-json` using `npm` and `elm-tooling`: > > | Metric | npm | elm-tooling | > | --------------------- | ---------- | ----------- | > | Number of packages | 70 | 1 | > | `node_modules/` size | 45 MB | 120 KB | > | Installation time | 9 s | 2 s | > | Re-installation time | 9 s | 0.5 s | > | Processing | Sequential | Parallel | > | Download verification | None | SHA256 | See: - [Why install Elm tools using `elm-tooling` instead of `npm`?](https://elm-tooling.github.io/elm-tooling-cli/faq/#why-install-elm-tools-using-elm-tooling-instead-of-npm) - [Is elm-tooling forever locked into the npm ecosystem?](https://elm-tooling.github.io/elm-tooling-cli/faq/#is-elm-tooling-forever-locked-into-the-npm-ecosystem) - TLDR; No. ## What would success / a fix look like? - No NPM packages required - If that's not possible now, then orders of magnitude fewer NPM packages would be great (currently we have 566 packages in `package-lock.json`)

issue