How to Ruin All of Package Management
36 points by gerikson
36 points by gerikson
Package management worked because the stakes were low
Running arbitrary code on people's computers is low stakes?
The stakes were low in the sense of “there’s no money riding on this”. Obviously malware and buggy implementations have been released through package managers. But considering that every marginally successful language released since Perl first shipped with CPAN has had a package manager that allows anonymous authors to release unvetted code, and that the positive has so far outweighed the negative, then clearly the stakes have been low enough so far.
Otherwise we would already be doing things differently because spammers and malware authors would have already ruined it to take those stakes.
Probably you were just riffing on a conflation of risks with stakes and I’ve overthought this comment. Either way, stakes are the reward, not the risk — this sentence is an oversimplification. I’ll leave it to another commenter to clarify and correct.
Publishing a package costs nothing. No identity verification. No deposit. No waiting period. You sign up, you push, it’s live. This was a feature: low barriers to entry let unknown developers share useful code without gatekeepers. The npm ecosystem grew to over 5 million packages because anyone could participate.
Funnily enough this is only mostly true now. I recently published a package to npm for the first time in like 10 years. I decided to make a new npm account to separate anything worthwhile that I do from the crap packages that I published when I was new to node. Publishing now requires 2FA, and doesn't allow the use of a 2FA authenticator app, so I needed to buy a yubikey. It was weird having to spend money in order to share code (even if it's just a 1 time setup, which many people will already own) but I think it's an understandable tradeoff given the security challenges facing the npm ecosystem.
Npm's publishing security changes also seem to give preferential treatment to publishing via CI jobs in GitHub and GitLab. They say they'll support self-hosted runners eventually, but I do wonder whether this is a movement towards more integrated control over the package lifecycle.
and doesn't allow the use of a 2FA authenticator app, so I needed to buy a yubikey.
I was so shocked they would do such a thing I actually created an NPM account just to see for myself if it was true. It turns out, the language on that page does talk about USB or NFC but the underlying action is merely creating a Passkey. Then, I tried publishing a silly package and (as expected) the browser asked for the passkey and continued along its merry way authorizing the npm publish command. Since I'm not deep in that ecosystem, I am sure there are a bazillion fun nuances or "yes, but" items hiding in the flow, but as best I can tell it isn't true that one needs to spend money on a hardware token
Well shit, I could have saved myself $50. Thank you for the correction!
I regret that they did such a user hostile thing, but (as you hinted at) Yubikeys are thankfully handy in other use cases. The other side of that coin is that it appears there's a few on eBay if you wanted to try and recoop some of the money, although the prices are currently all over the place so it's hard to know what you'd get back. It seems they do offer a return policy if that applies to you
What does it mean for Polymarket to have "called the 2024 election better than the pollsters"? Both Polymarket and predictions based on polls deal in probabilities. Without re-renning the 2024 election at least dozens of times you can't tell which "called it best", and it happened just once!