1. 53

  2. 14

    Beautiful satire. Hopefully the message might get through to some that npm is self-inflicted psychopathy.

    1. 21

      I definitely share the sentiment. On the other hand it feels bad to make an analogy to the Onion article which is about gun violence.

      1. 11

        Considering the real-world implications of this sort of technical irresponsibility (which include things like “airplanes crashing out of the sky and killing 600+ people”), I think this is entirely the analogy that needs to be made more often.

        It terrifies me that more people in the IT industry don’t realise the real-world implications for their decisions :/

        1. 16

          airplanes crashing out of the sky and killing 600+ people

          I’m not especially impressed with npm either, but I don’t think it’s causing airplanes to fall out of the sky?

          1. 2

            NPM isn’t directly responsible for causing airplanes to fall out of the sky because it’s not being used in obviously-critical / life-or-death systems. The most it can do is ruin lives and thus kill people indirectly (ex., by presenting an attack surface by which bank accounts can be drained, or by being so bloated that, when deployed at scale, it heats up the atmosphere enough to be responsible for the death of a few hundred people from flooding or migration-related-violence somewhere down the line).

            As a general policy, though, treating software problems as potentially fatal (the way we treat law problems as potentially fatal) is pretty reasonable. Anything deployed at scale has the potential to kill indirectly, and everything deployed at google- or facebook-scale probably has. Nothing is preventing individual software engineers from considering these cases, aside from taboos against reminding us of their possibility.

            1. 2

              The most it can do is ruin lives and thus kill people indirectly

              I know someone who works in health informatics, where they provide web-based applications for patient management to hospitals. At least once they had a bug that caused allergy warnings to show up on the wrong patient’s record (such that a nurse might not know that you’re allergic to latex or penicillin). That absolutely could kill someone.

          2. 8

            It terrifies me that more people in the IT industry don’t realise the real-world implications for their decisions :/

            Often, the response to pieces like this tends to be a sort of reckless naivete: “what’s this guy’s problem? They can just fix it!” I think there’s a subconscious belief that the community will self-correct after each breach. This belief ends up being something of a thought-killer because it cuts off thoughts of, “but why did it ever happen in the first place?” My guess is those thoughts are seen as a bit negative/taboo, because obviously the community would never all be wrong about something!

            I’m not sure what the cure for lackadaisical developers is, other than avoiding massively popular ecosystems just to have a better shot at being around people that care.

            1. 6

              The Canadian practice of the Iron Ring ceremony echos your very important point. https://en.m.wikipedia.org/wiki/Iron_Ring

              1. 2

                While surely virtuous, I doubt this ceremony (And any feel-good manifesto that gets posted here every now and then) have noticeable impact on how engineers deal with the real-world implications of their decisions. Oaths are nothing but fluff when there are no actual controls and consequence.

                1. 3

                  I think that, as you suggest, the ceremony definitely does not usually result in software engineers feeling the weight of their decisions. I would hope and expect that it does feel that way for, for example, civil engineers. I also think we need to all take responsibility for moving our profession in the direction of greater accountability. We should live in a world where software engineers take this stuff seriously, and taking it seriously as individuals is one important way we can work towards that.

            2. 5

              The implication here is that it’s the result of a systemic flaw that is ultimately preventable.

              1. 12

                I think the point jjmalina is making is that it’s in poor taste to compare a JavaScript packaging problem to an act of wanton, unspeakable violence.

                1. 19

                  wanton, unspeakable violence.

                  So, webpack?

                  1. 2

                    A satirical article by the onion (which is the comparison being made) is not an act of violence in any way, shape or form.

                    1. 3

                      The comparison is not between ‘a JavaScript packaging problem’ and ‘a satirical article by the onion’. The comparison is between ‘a JavaScript packaing problem’ and ‘gun violence’. (Both expressed in the form of satirical articles.)

                2. 5

                  This was exactly my reaction and put me off from reading the article. For those who recognize the allusion, it’s very much a false equivalence to compare CI/CD failures to actual loss of human life. The Onion’s article is a biting satirical commentary on a tragic systemic failure of American culture and legislative bodies. This article is about NPM being insecure. Distasteful.

                  1. 2

                    I just see it as a pattern for a joke. A knock-knock joke can either be a completely harmless joke that a child would say, or an adult could come up with a terribly offensive one.

                  2. 3

                    Aren’t a lot of the suggestions made implemented in Yarn?

                    1. 4

                      The last suggestion, no fuzzy dependency versions, is how Yarn’s lockfile (which predates npm’s lockfile implementation) works. As I understand it, the other suggestions would have to be implemented by the registry itself, rather than a client like Yarn.

                      1. 1

                        Ah, that makes sense. For some reason it didn’t click with me that yarn didn’t have its own registry parallel to the npm registry.

                      2. 2

                        The important ones can’t be implemented without getting away from the npm infrastructure and (global) namespace.

                      3. 2
                        1. 6

                          I did an 8,000 word postmortem on that. Very few of the problems are due to technical aspects of npm, and people have done similar attacks on pypi and java.