Oh man you pick the one other language that followed the JavaScript model?! How about C, Java, Go, Lisp, C#, C++, D… and new ones like Odin that are explicitly against package managers for this very reason.

When you start writing with C, where do you get your stdio.h file? Do you write it yourself, or inspect it line by line every time or do you trust the installation package you just ran?

Your OS. glibc / musl.

Exactly, you are trusting an OS or library which could very much be maliciously interfered with.

I would be willing to bet attacks on linux upstream libraries are already happening in the same way as the js ecosystem.

Hm... if you use something like Debian it's quite difficult to get your package installed in the distro. People do review everything that goes in. I find it incredibly silly to compare something like that to npm, where every kid has dozens of packages installed that anyone using npm can end up downloading and no one is really reviewing anything.

I agree one is more difficult than the other, but I feel the principal is the same. Whilst anything is built using other modules, there is always risk those modules will be compromised.

What makes you think that this is the case?

And yeah I'm trusting my OS (Linux) and the libraries that is in their repository.

We could go deeper than that. What about hardware? None of it is open source.

Where does it end? What can we do about it?

This is why Huwawei equipment was disallowed to be part of Western Europes 5g rollout.

https://www.euronews.com/next/2024/08/12/eleven-eu-countries...

What can we do about it indeed!? I guess its either fully digitally detox or accept the fact that if you use modern technology then somebody is watyching what you do.

> It's no different anywhere else.

But it is. Both C/C++ and Go are not at all like this.

I don’t know about Python but Rust ecosystem tends attract enthusiasts who make good single purpose packages but that are abandoned because maintainers move on, or sometimes forked due to minor disagreements similar to how Linux/unix is fragmented with tribal feuds.

All languages use libraries that come from somewhere.

Even your OS upstream packages could be tainted at this point.

Go is like this...

M'yea, good luck finding such occurrence with NuGet or Maven for example. I would rephrase your "anywhere else".

NPM is a terrible ecosystem, and trying to defend its current state is a lost cause. The energy should be focused on how to fix that ecosystem instead of playing dumb telling people "it's all ok, look at other, also poorly designed, systems".

Don't forget that Rust's Cargo got heavily inspired by NPM, which is not something to brag about.[0]

> "Rust has absolutely stunning dependency management," one engineer enthused, noting that Rust's strategy took inspiration from npm's.

[0]https://rust-lang.org/static/pdfs/Rust-npm-Whitepaper.pdf

One of the biggest things that pushes me away from Rust is the reliance on micro dependencies. It's a terrible model.

What's wrong with micro dependencies? Isn't it better to download only the code you need? Also it makes refactoring easier, and enforces better architecture.

Larger attack surface - you just need one of those N dependencies to fall for a spear phishing attack and you're cooked. Larger N is necessarily worse.

It depends on the software being written, but if it's a product your business sells or otherwise has an essential dependency on, then the best model available right now is vendoring dependencies.

You still get all the benefits of standing on top of libraries and frameworks of choice, but you've introduced a single point of entry for externally authored code - there are many ways you can leverage that to good effect (vuln scans, licence audits, adding patch overlays etc etc) and you improved the developer experience - when they check out the code, ALL of the code to build and run the project is already present, no separate npm install step.

You can take this model quite a bit further and buy some really useful capabilities for a development team, like dependency upgrades because they're a very deliberate thing now, you can treat them like any other PR to your code base - you can review the changes of each upgrade easily.

There's challenges too - maybe your npm dep builds a native binary as part of it, you now need to provide that build infra / tooling, and very likely you also want robust build artifact and test caching to save wasting lots of time.

Dependency management is work. And almost nobody does this work seriously because it has become unrealistic to do, which is the big concern here.

You now have to audit the hundreds of dependencies. Each time you upgrade them.

Rust is compiled and source code doesn't weigh that much, you could have the compiler remove dead code.

And sometimes it's just better to review and then copy paste small utility functions once.

> Rust is compiled and source code doesn't weigh that much, you could have the compiler remove dead code.

I get the impression that one driver to make microdependencies in rust is that code does weigh a lot because the rust compiler is so slow.

For a language with a focus on safety, it's a pretty bad choice

Is this bait? The whole context is malicious software being installed en masse via NPM micro dependencies.

They should just be part of the stdlib of the language.

Rust has a really big and comprehensive stdlib, especially compared to languages like C or JavaScript. It just decided that certain things won't be solved in the standard lib because there is no obviously-right solution and evolving towards a good solution is much easier in packages than in the stdlib, because the stdlib isn't versioned.

Some of the gaps feel huge, like no random, no time/date handling, and no async runtime. But but for most of them there are canonical packages that 95% of the ecosystem uses, with a huge amount of eyeballs on them. And sometimes a better solution does emerge, like jiff slowly replacing chrono and time for time/date handling.

Obviously this isn't the best solution from a security perspective. There would be less potential for supply chain attacks if everything was in the standard library. But that has to be weighed against the long-term usability of the language

No, I'd much rather a trusted source, like the language developers themselves, provide as much as possible.

And those last two points have absolutely nothing to do with micro dependencies one way or the other.