In decreasing order of importance: culture, a good standard library, and tooling that pushes you to be deliberate about your dependencies rather than dumping 300 stupid packages inside every project.
Maven is incredibly well designed (and ironically gets nothing but hate for it), it's probably the hidden reason Java is so successful.
Why does Maven exist, without the commercial compromises of NPM? Probably because Java has the well-funded, well-supported, but non-profit and community-oriented Apache foundation, which is something extremely rare and precious (and probably at least partly a lucky result of Java's complicated legal history).
(JS has plenty of great utility libraries. The problem is that its package management is excessively centralised and not managed terribly well)
The operators of Maven Central deserve a lot of credit for their good stewardship. Unlike the NPM registry, Maven Central does not permit anyone to unpublish packages. Unlike the NPM registry, Maven Central requires verification of domain or forge account ownership to claim a namespace. These are good practices, and anyone seeking to create a central package registry would do well to at least consider this. Maven Central is currently operated by SonaType, but it has changed hands a few times. This article covers its history: https://www.sonatype.com/blog/the-history-of-maven-central-a...
Additionally, it is standard practice in the Java world, which is more "corporate" or "enterprise-y", for better and for worse, to have organisations operate their own internal package registries / mirrors. Even if you unpublished a major package from Maven Central, many organisations would be completely unaffected because they retain archived copies of all of their dependencies.
Arguably the root problem was lack of user namespacing; the incident would have been less likely to happen in the first place if the packages in question were named "~akoculu/left-pad" and "~akoculu/kik".
madeofpalk|8 months ago
Lodash has had pad/padStart/padEnd since 2016, 3 months before left-pad incident. https://lodash.info/doc/pad
qsort|8 months ago
lmm|8 months ago
Why does Maven exist, without the commercial compromises of NPM? Probably because Java has the well-funded, well-supported, but non-profit and community-oriented Apache foundation, which is something extremely rare and precious (and probably at least partly a lucky result of Java's complicated legal history).
(JS has plenty of great utility libraries. The problem is that its package management is excessively centralised and not managed terribly well)
oftenwrong|8 months ago
Additionally, it is standard practice in the Java world, which is more "corporate" or "enterprise-y", for better and for worse, to have organisations operate their own internal package registries / mirrors. Even if you unpublished a major package from Maven Central, many organisations would be completely unaffected because they retain archived copies of all of their dependencies.
unknown|8 months ago
[deleted]
merb|8 months ago
q3k|8 months ago
jmillikin|8 months ago
dagw|8 months ago