Post · bonfire.cafe

Post

@happyborg Setting GitHub aside, I just can't understand why npm still isn't a non-profit foundation. And why the JavaScript community just lets it happen.

Andrew Golding

@huronbikes@cyberplace.social replied · 4 days ago

@hongminhee I knew that the state of dependency management in JS was bad but I didn't know it was single-vendor, "hey that's a nice library, be a shame if it couldn't be distributed" bad.

happyborg

@happyborg@fosstodon.org replied · 4 days ago

@hongminhee they keep folk on such platforms because we don't factor in the longer term costs that they will inevitably make us bear as they slowly ratchet up the money flows.

It's the same everywhere and is very hard to make the case to suffer higher ongoing costs and inconvenience in order to avoid the nebulous future costs and difficulties of dependency on a gorilla wise only goal is to extract as much as possible from you.

洪民憙 (Hong Minhee) :nonbinary:

@hongminhee@hollo.social replied · 4 days ago

@happyborg Setting GitHub aside, I just can't understand why npm still isn't a non-profit foundation. And why the JavaScript community just lets it happen.

Strypey

@strypey@mastodon.nzoss.nz replied · 3 days ago

@hongminhee
> I just can't understand why npm still isn't a non-profit foundation

I can't understand why anyone keeps using npm despite their ongoing inability to avoid delivering malicious software from their repos;

https://thehackernews.com/2025/12/27-malicious-npm-packages-used-as.html

They have one job; reviewing the code they host, and the maintainers of that code, for quality control. They fail constantly.

@happyborg

The Hacker News

27 Malicious npm Packages Used as Phishing Infrastructure to Steal Login Credentials

Researchers uncovered 27 malicious npm packages used over five months to host phishing pages that steal credentials from targeted organizations.

happyborg

@happyborg@fosstodon.org replied · 4 days ago

@hongminhee unless someone makes it happen it can't happen, and it's not an easy task.

I'm so pleased that there are people who can and do do these things though. So I support Codeberg for example and had a good go at moving my (rather minimal) CI over. I was nearly there but didn't have time to complete it, so everything except release builds (Rust, Svelte + Rust, CLI and Tauri) happens on #Codeberg.

I think it was just builds for Mac I didn't complete.

Bart Louwers

@bart@floss.social replied · 4 days ago

@hongminhee Did not know that it was owned by GitHub. That is sad.

洪民憙 (Hong Minhee) :nonbinary:

@hongminhee@hollo.social replied · 4 days ago

@bart Yeah, npm and GitHub are owned by Microsoft…

Olivier Forget

@teleclimber@social.tchncs.de replied · 4 days ago

@hongminhee I've always been annoyed that deno land's login only option was through a GitHub auth (at least last I checked). I take it that carried over to JSR?

洪民憙 (Hong Minhee) :nonbinary:

@hongminhee@hollo.social replied · 4 days ago

@teleclimber It looks like JSR is trying to add GitLab login support recently, but the options are still too limited.

bonfire.cafe

A space for Bonfire maintainers and contributors to communicate

bonfire.cafe: About · Code of conduct · Privacy · Users · Instances

Bonfire social · 1.0.2-alpha.7 no JS en

Automatic federation enabled