> It does not much matter if it imports 300 or 30 of them, those vulns will land somewhere in those 30 with equal frequency statistically.
The point is the risk is far higher with more dependencies as I said from the very start. But it happens much more frequently in the NPM ecosystem than in others.
> If you are advocating developing without dependencies at all, then please start (with any language) and show us all how much you actually ship.
The languages in the former (especially Go) encourages you to use the standard library when possible. Javascript / TypeScript does not and encourages you to import more libraries than you need.
> JS is a target of these dumb accusations because it's literally the best cross-platform way to ship apps. Stop inventing issues where there are none.
Nope. It is a target because of the necessity for developers to import random packages to solve a problem due to its weak standard library and the convenience that comes with installing them.
You certainly have a Javascript bias towards this issue yourself and there is clearly a problem and you ignoring it just makes it worse.
If it wasn't an issue, we would not be talking about yet another supply chain attack in the NPM ecosystem.
The point is the risk is far higher with more dependencies as I said from the very start. But it happens much more frequently in the NPM ecosystem than in others.
> If you are advocating developing without dependencies at all, then please start (with any language) and show us all how much you actually ship.
The languages in the former (especially Go) encourages you to use the standard library when possible. Javascript / TypeScript does not and encourages you to import more libraries than you need.
> JS is a target of these dumb accusations because it's literally the best cross-platform way to ship apps. Stop inventing issues where there are none.
Nope. It is a target because of the necessity for developers to import random packages to solve a problem due to its weak standard library and the convenience that comes with installing them.
You certainly have a Javascript bias towards this issue yourself and there is clearly a problem and you ignoring it just makes it worse.
If it wasn't an issue, we would not be talking about yet another supply chain attack in the NPM ecosystem.