Richard Bucker

Hating NPM Javascript

Posted at — Dec 7, 2021

Without any explanation I’m moving my development of one project from a previous install of ClearLinux to Pop!_OS. I thought that all I would need to do is git clone <project> and then build and test, however, it was not that simple. When I tried to run gulp I received some npm error messages that should have been addressed with a previous install from a previous project.

just how vulnerable is the NPM supply chain?

Unfortunately the project would not build and would not run since none of the generated HTML files were in place. When I started installing NPM and the various dependencies I started receiving all manner of failures. My favorite was 44 warnings followed by 8 critical followed by major version upgrades.

running out of goodwill for NPM

I gave up. I resorted to removing everything I just installed and copying the node_modules folder from one project to this one. The result generated my files and I was able to continue, however, all those errors gives me a lack of confidence. All this supplychain corruption has only served to support my KISS efforts.

It’s important to keep the amount of code to a minimum. Use languages that are easily reasoned and audited. Immutable binary. No source obfuscation… and so on… implement a DSL and put your work in that DSL. That way your audit(s) are concentrated where it will do the most good.

In my case I’ve limited my DSL to:

The DSL itself looks like TCL because the parser is simple. It is extendable… some projects require this and others that. I like to stick to the included packages rather than any and all. But when I do I check the supply chain. More better.