Node Packages and the Node Package Manager

• What we get on any given NPM install is not known fully, way too many dependencies.
• What we get security wise is not known as there's no security certification rules, we get literally anything someone wants to inject.
• There's no guarantee that any package we use has any future maintenance in mind.
• NPM Install uses the Package-lock file. This reduces our chances of getting what we want unless we know how to deal with it, like delete the package-lock file.
• NPM clean-install works but due to package-lock file, what we get can be different than what we want.
• Gaining full knowledge of NPM Installs, packages and package-lock files is an obscure art. Things do not come to light until days or weeks of fiddling around and getting to know the secrets.
• The -D -g save options are confusing, instead there should be a -P for this project.
• Blowing away the node_modules folder either locally or globally just to regain control is crazy! Let the compiler tree-shake.
• Overall grade for NPM is a C- or D+. No professor would ever rate it higher knowing these potential nasty side effects.

Deno

• I can't grade it at all because my only knowledge is from reading what it does.
• I like the concept of security first.
• I like the concept of using URLs to point to a single library.
• I like the idea of getting away from Node.
• It makes me wonder do we need the 200mb of Node package baggage just to do things we should know how to do and have certified safe libraries ready to go?

There's too much to like about Deno and at least 3 strikes against NPM, question is, have you reached the bottom of the 9th? I'm at least in the bottom on the 8th myself.

Summary

Maybe it's time to break our Opium Addiction to NPM 3rd party packages outside of Angular, React and Vue (ok perhaps Material). Everything else should be our own reusable libraries. We can do this with NPM or we can use a Security first architecture named Deno.

JWP 2020