Comment Re:NPM needs to be burned to the ground (Score 2) 32
First of all, NPN itself is a piece of junk, the "cool guys" (teenagers who think they know how to program because they managed to glue together a few bits of JavaScript) have the terrible habit of pasting everything and the kitchen sink as dependencies, even when you could (or should) write the code snippet you need yourself and thus avoid adding another 1MB of JavaScript “libs”. It's how they arrived at this absurdity of any simple application literally needing thousands of dependencies and good luck checking each one for possible vulnerabilities.
The other big mistake the “cool guys” make is ignoring backward compatibility. They are always redoing everything without any concern for what might depend on the libraries they create, and if you “old dinosaur” question this, they arrogantly respond that you're the one who has to find a way to keep up (never mind that the reason for so much compatibility breakdown is because the "cool guys" don't actually know what they're doing, so they have to redo everything over and over again until they maybe get it right by accident). That's why applications that make the mistake of using these libraries end up having to “freeze” versions, because otherwise they quickly stop working.
And the biggest mistake, in my humble opinion, is linking these applications to libraries on external servers, even directly to repositories such as GitHub. This basically opens the floodgates to attacks such as those described in the TFA.