Post · BT Free Social

Post

@happyborg Setting GitHub aside, I just can't understand why npm still isn't a non-profit foundation. And why the JavaScript community just lets it happen.

Andrew Golding

@huronbikes@cyberplace.social replied · 7 hours ago

@hongminhee I knew that the state of dependency management in JS was bad but I didn't know it was single-vendor, "hey that's a nice library, be a shame if it couldn't be distributed" bad.

happyborg

@happyborg@fosstodon.org replied · 8 hours ago

@hongminhee they keep folk on such platforms because we don't factor in the longer term costs that they will inevitably make us bear as they slowly ratchet up the money flows.

It's the same everywhere and is very hard to make the case to suffer higher ongoing costs and inconvenience in order to avoid the nebulous future costs and difficulties of dependency on a gorilla wise only goal is to extract as much as possible from you.

洪民憙 (Hong Minhee) :nonbinary:

@hongminhee@hollo.social replied · 8 hours ago

@happyborg Setting GitHub aside, I just can't understand why npm still isn't a non-profit foundation. And why the JavaScript community just lets it happen.

Strypey

@strypey@mastodon.nzoss.nz replied · 6 hours ago

@hongminhee
> I just can't understand why npm still isn't a non-profit foundation

I can't understand why anyone keeps using npm despite their ongoing inability to avoid delivering malicious software from their repos;

https://thehackernews.com/2025/12/27-malicious-npm-packages-used-as.html

They have one job; reviewing the code they host, and the maintainers of that code, for quality control. They fail constantly.

@happyborg

The Hacker News

27 Malicious npm Packages Used as Phishing Infrastructure to Steal Login Credentials

Researchers uncovered 27 malicious npm packages used over five months to host phishing pages that steal credentials from targeted organizations.

happyborg

@happyborg@fosstodon.org replied · 8 hours ago

@hongminhee unless someone makes it happen it can't happen, and it's not an easy task.

I'm so pleased that there are people who can and do do these things though. So I support Codeberg for example and had a good go at moving my (rather minimal) CI over. I was nearly there but didn't have time to complete it, so everything except release builds (Rust, Svelte + Rust, CLI and Tauri) happens on #Codeberg.

Bart Louwers

@bart@floss.social replied · 9 hours ago

@hongminhee Did not know that it was owned by GitHub. That is sad.

洪民憙 (Hong Minhee) :nonbinary:

@hongminhee@hollo.social replied · 9 hours ago

@bart Yeah, npm and GitHub are owned by Microsoft…

Olivier Forget

@teleclimber@social.tchncs.de replied · 11 hours ago

@hongminhee I've always been annoyed that deno land's login only option was through a GitHub auth (at least last I checked). I take it that carried over to JSR?

洪民憙 (Hong Minhee) :nonbinary:

@hongminhee@hollo.social replied · 11 hours ago

@teleclimber It looks like JSR is trying to add GitLab login support recently, but the options are still too limited.

BT Free Social

BT Free is a non-profit organization founded by @ozoned@btfree.social . It's goal is for digital privacy rights, advocacy and consulting. This goal will be attained by hosting open platforms to allow others to seamlessly join the Fediverse on moderated instances or by helping others join the Fediverse.

BT Free Social: About · Code of conduct · Privacy ·

Bonfire social · 1.0.1 no JS en

Automatic federation enabled