this post was submitted on 05 Nov 2024
248 points (99.2% liked)

Technology

59646 readers
2609 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[โ€“] [email protected] 14 points 3 weeks ago (8 children)

I don't know much about NPM (having avoided JS as much as possible for my entire life), but golang seems to have a good solution: 'vendoring'. One can choose to lock all external dependencies to local snapshots brought into a project, with no automatic updating, but with the option to manually update them when desired.

[โ€“] interurbain1er 8 points 3 weeks ago

That won't prevent typo squatting. This article is a out people wanting to add a dependency to "famousLib" and instead typing "famusLib".

What probably help more in Go is the lack of a central repo so you actually need to "go get github.com/whoever..." so typo squatting is a bit be a bit more complicated.

On the other hand it will be an easy fix in NPM by simply adding a check to libraries names and reject names that are too similar since it's centralized.

load more comments (7 replies)