Eeek, it can get pretty ugly. Though admittedly, I do tend to see it less of a flaw of Javascript (or even the web) and more that beginners are specifically attracted to it.
Yes, true.
We strangely decry M$ using telemetry (glorified spyware), rightfully so, we update FreeBSD with the latest patches, be ever diligent with our firewalls, our auditing, our MAC etc etc and yet don't give a second thought to the biggest security threat: a browser running javascript.
Perhaps you're right, but for the reasons I wrote above, it has a powerful position in the software stack and yet is the most insecure garbage I can think. More and more people adopt it, the browser, as the future in computing. Sheez, that future is bleak.
No-one should be dragging in dependencies like this. They should use a specific (known) version rather than treadmilling onto the latest all the time! That is a very amateur thing to do and in the web specifically, I see it all the time.
I really dislike these language specific package stores (NPM, PIP, crates.io, VcPkg, etc). They just allow amateurs to rack up so much technical debt!
No one should, but the problem is everyone does. They use other's code, which contains other code, that contains other code and so on just so they can do rot13. (Just an example). It's almost theft, because to me this is not open source, it's open exploitation. Maybe they're truly the same?
I remember years ago, the advent of C++ and the sharing of code and people/nerds being all giddy over it. Some were anticipating large code banks where you could draw in code to perform X function and Y function and save time &
money.. Glorious they said. Me, being perhaps too cynical, said in a sarcastic way: "What could possibly go wrong with that methodology". Along comes javascript.
I'm not sure it can be solved short of all browsers should be run in a sandbox, always, but that largely only stops exploits.
Don't get me wrong, sharing code is good, but ffs know what it does or don't include it. This type of system like NPM does the exact opposite.
Yes these repositories are an evil unto themselves.