First rule of speaking French: get bored and trail off halfway through each word. No one says six or seven syllables. In practice, you'll get two on a regular basis and three if it's your waiter sneering at your bad accent.

To be honest, that PR is a great reason for why you'd want to use someone else's left padding function. Turns out there are about 100 ways to subtly screw it up in JavaScript, so it makes sense to collect everyone's wisdom in a single place rather than everyone trying to re-invent that (surprisingly non-trivial) wheel.

That’s terrifying!

It’s the Internet. You can say “fuck” here.

I disagree about security flaws. If it’s not possible to use a package - say, it mistakenly always degrades SSL connections to plaintext - then I think it’s at least arguable that users should be prodded into upgrade to the fixed version.

I agree about the “same author” bit. I didn’t spell it out, but that to me means “officially designated maintainer”. Maybe that’s always the same individual maintainer, or maybe it’s “Release Manager at Foo Corp”, or perhaps it’s “person who took over package Foo after Randy got a new job”. But in all cases, the uploaded is still the person who’s directly responsible for that specific package in real life.

That doesn’t help if you accurately mirror a repo where a package can be replaced with something malicious.

I agree to a point, but I don't maintain my own Linux distro even though I depend on certain packages for my software to run on it.

Eh, I don't care about that so much. If it's the idiom in your language to let someone else write every little function like that, and that's just how it is in that ecosystem, then so be it. I wouldn't want to work that way, but everyone has their preferences.

But if you're going to foster an ecosystem where everyone's going to use the same "leftpad", then you damn well better make sure that:

• Once I've added "leftpad-4.5.6" to my dependencies, it's not going away unless there's a critical security flaw,
• That today's "leftpad-4.5.6" is the same one I downloaded yesterday, and
• That "leftpad-4.5.7" comes from the same author who released 4.5.6 and not Boris in St. Petersburg.

If you can't guarantee all three of those conditions, I want nothing to do with it. And again, pretty much everyone else offers these guarantees. This isn't just some greybeard rant about an ideal world no one has ever lived in before.

So make attackers wait a whole day before uploading their compromised replacements for widely-used packages. Got it!

Seriously, NPM is a shithole. "As a general rule, the npm Registry is and ought to be immutable", you think? It's not a "general rule". It's "all the time, every" you freaking amateurs.

most of the npm support team's work is devoted to handling user requests for package deletion, which is more common than you might expect. Many people publish test packages then ask to have them deprecated or deleted. There also is a steady flow of requests to remove packages that contain contain private code that users have published inadvertently or inappropriately.

This right here is how you brought it upon yourself, and why I have zero sympathy for your self-imposed situation. If I contribute a package to Debian, you think they'll spend "most of their week" removing it just because I asked? That's not gonna happen. Here's how you fix this:

"Effective immediately, we no longer remove packages unless they cause a clear and imminent threat to their users. If you accidentally included your GitHub password, change it. That's your problem, not ours. Next time try not to do that, OK? Also, we no longer reuse package names, ever, for any reason. If you wanted it, you should have registered it. And finally, under no circumstances, period, may you ever reuse a version number. Ten years from now, package foo-1.2.3 will be bytewise identical to the one we issued last week. We guarantee it."

Anything short of that is a joke to the rest of the industry. I'm not being idealistic or unrealistic, either: these are completely reasonable, common policies that pretty much literally every other package repo implements.

Yes, it's part of the contract, but that doesn't mean it's fair or just. It's an obsolete legacy that we're stuck with, not something to hold up as good.

I don't feel that way at all, and have in fact spent lots of time in low-population states. I have nothing against them. But suppose for the sake of argument that a county in west Texas split off to be their own state. Why should that small land area county with 25 people have the same number of Senate votes as the giant (land a people-wise) remainder of Texas?

That's a great question. Probably not, but the Senate was originally a nod to slightly smaller states who didn't want to be ignored. However, the state population range at the time was much smaller: Virginia was about 12 times more populous than Delaware (which by land is 1/9th the size of Virginia, so their densities are very similar).

Today, California is 68 times more populous than Wyoming (but only 1.7 times bigger, which works out to about CA being about 41 times more densely populated). There's absolutely no way that a Senate being crafted today would give Wyoming 68 times the proportional representation of California.

Why should that not be the case? Remember, land doesn't vote: people do. I lived in Nebraska where about 60% of the population lived in Omaha. Any arrangement where the rest of the state were allowed to outvote that small, heavily populated corner is inherently disenfranchising the Omahans.

Similarly, it's insane that people in Wyoming have four times the electoral voting power as New Yorkers. "But Wyoming is so big on the map!" Sure, but it has the about the population of Staten Island.

There is no justifiable reason why those one or two cities shouldn't have all the power if that's where all the people live.

No you're not. No one actually believes you.

It's too high as the definition of "minimum required for normal Internet use". It's definitely not too high as a definition of "fast Internet".