I think Python has a better overall philosophy with the batteries included concept.
But still you have dependency hell there. NodeJS ecosystem is a mess but I wouldn’t say it python is that much better. All this virtual environment stuff is annoying as well. And also making a mistake while typing a package name to install can also lead to a compromise. However my point is, that this all is not a bad PR for open source.
NodeJS is a framework. And the language used in NodeJS is open source as well. And this is normal. C, C++, Python, Rust, Perl etc. are free to use. How can it be a bad for open source, if there are security risks in the ecosystem of a language?
And the widespread use of open source means more good and bad actors are posting their codes in GitHub and most of people who use it aren’t aware of all the issues.
Look here. Is this also bad for open source? I mean, this are security problems. GitHub is just a repository hosting provider. Even if my repo is private, the same things could happen.
And we are talking about libraries. It is almost normal, that libraries used in a project have a open source licence. While it is not that normal, that open source software is used.
I think it is again bad PR for npm. But not for open source. And indeed, if I find a cool software but it is based on NodeJS, I will rather not use it. The ecosystem is bad and it is still JavaScript.
But still you have dependency hell there. NodeJS ecosystem is a mess but I wouldn’t say it python is that much better. All this virtual environment stuff is annoying as well. And also making a mistake while typing a package name to install can also lead to a compromise. However my point is, that this all is not a bad PR for open source.
NodeJS is a framework. And the language used in NodeJS is open source as well. And this is normal. C, C++, Python, Rust, Perl etc. are free to use. How can it be a bad for open source, if there are security risks in the ecosystem of a language?
Look here. Is this also bad for open source? I mean, this are security problems. GitHub is just a repository hosting provider. Even if my repo is private, the same things could happen.
And we are talking about libraries. It is almost normal, that libraries used in a project have a open source licence. While it is not that normal, that open source software is used.
I think it is again bad PR for npm. But not for open source. And indeed, if I find a cool software but it is based on NodeJS, I will rather not use it. The ecosystem is bad and it is still JavaScript.