top | item 46877036

(no title)

umvi | 26 days ago

> no longer any need to use a library at all

As someone who works on medical device software, I see this as a huge plus (maybe a con for FOSS specifically, but a net win overall).

I'm a big proponent of the go-ism "A little copying is better than a little dependency". Maybe we need a new proverb "A little generated code is better than a little dependency". Fewer dependencies = smaller cyberseucity burden, smaller regulatory burden, and more.

Now, obviously foregoing libsodium or something for generated code is a bad idea, but probably 90%+ of npm packages could probably go.

discuss

no_wizard|26 days ago

> probably 90%+ of npm packages could probably go

I feel npm gets held to an unreasonable standard. The fact is tons of beginners across the world publish packages to it. Some projects publish lots of packages to it that only make sense for those projects but are public anyway then you have the bulwark pa lager that most orgs use.

It is unfair to me that it’s always held as the “problematic registry”. When you have a single registry for the most popular language and arguably most used language in the world you’re gonna see massive volume of all kinds of packages, it doesn’t mean 90% of npm is useless

FWIW I find most pypi packages worthless and fairly low quality but no ones seems to want to bring that up all the time

rpodraza|26 days ago

I think you are completely oblivious to the problems plaguing the NPM ecosystem. When you start a typical frontend project using modern technology, you will introduce hundreds, if not thousands of small packages. These packages get new security holes daily, are often maintained by single people, are subject to being removed, to the supply chain attacks, download random crap from github, etc. Each of them should ideally be approved and monitored for changes, uploaded to the company repo to avoid build problem when it gets taken down, etc.

Compare this to Java ecosystem where a typical project will get an order of magnitude fewer packages, from vendors you can mostly trust.

int_19h|26 days ago

It's a matter of community culture. In the Node.js ecosystem, all those tiny packages are actually getting widely used, to the extent that it's hard to draw a line between them and well-established packages (esp. when the latter start taking them as dependencies!). Python has been npm'ified for a while now but people are still generally more suspicious of packages like that.

macleginn|26 days ago

Since code-generating AIs were likely trained on them, they won't go too far, though.

dayjaby|26 days ago

I am utterly confused at how you think rewriting entire libraries have less security holes than battle-hardened libraries that 1000s of other people use.

umvi|25 days ago

- Generating your own left pad means you don't have to pull in an external left pad

- Which in turn means left pad doesn't show up on your SBOM

- Which in turn means CVEs won't show up for left pad when you run your SBOM through through SCA

- Which means you don't have to do any CVE triage, risk analysis, and mitigation (patching) for left pad

- It also means you don't have to do SOUP testing for left pad

Now imagine you've done that for a dozen libraries that you are only using a small piece of. That's a ton of regulatory and cybersecurity work you've saved yourself. I never claimed generating code makes your software more secure, I claimed it can reduce the regulatory and cybersecurity burden on your SDLC, which it does as demonstrated above. Taken to the extreme (0 external dependencies), your regulatory burden for SOUP and SCA goes to zero.