event-stream VS proposal-built-in-modules

Another possible outcome of "I gave commit rights to someone I didn't know": https://github.com/dominictarr/event-stream/issues/116

Whole npm ecosystem is so fragile.

Remember event-stream[1]? Did we learned something from that? Yes, we might. So was it improved? Never. People are still installing 'new' colors package and wondering why its texts are broken.

What if he uploaded malicious code rather than just just gibberish?

[1]: https://github.com/dominictarr/event-stream/issues/116

foo-bar version 1.0 depends on bada-boom 1.0 which depends on bada-bing 1.0. Now you update to foo-bar 1.1 because of some critical update, which in itself now depends on bada-boom 2.0 and bada-bing 2.0. But unbeknownst to you and the author of foo-bar, the bada-boom and bada-bing project was taken over by another maintainer who made an update, but also added some trojan horse code to specifically attack certain users, which was obfuscated and remained undetected. Which has happened before - not just browser extensions are affected by malicious attackers taking over useful projects.

There is proposal for stdlib, but it will take some time until (if ever) it will reach stage 4.

The working group most in charge of JS is ECMA's TC-39 (TC => Technical Committee) [0]. They've been taking a very deliberate, slow path to expanding the "standard" library because they take a very serious view of backwards compatibility on the web. Some proposals were shifted because of conflicts with ancient versions of things like MooTools still out in the wild, for instance. (This was the so-called "Smooshgate" incident [1].)

This may speed up a bit if the Built-In Modules proposal [2] passes, which would add a deliberate `import` URL for standard modules which would give a cleaner expansion point for new standard libraries over adding more global variables or further expanding the base prototypes (Object.prototype, Array.prototype, etc) in ways that increasingly likely have backwards compatibility issues.

TC-39 works all of their proposals in the open on Github [3] and it can be a fascinating process to watch if you are interested in the language's future direction.

[0] https://tc39.es/

[1] https://developers.google.com/web/updates/2018/03/smooshgate

[2] https://github.com/tc39/proposal-built-in-modules

[3] https://github.com/tc39/proposals

There is a TC39 proposal for a "Javascript Standard Library." It's at stage 1, which is better than stage 0.

https://github.com/tc39/proposal-built-in-modules

The standard library is a tough one. There is a proposal for built-in modules but it is very early days and miles away from what is needed. Clojure ships with functions that make the likes of Lodash and Ramda redundant. I think for a dynamic language an extensive library of functions for manipulating collections is essential. It is a real thing that once dynamic language codebases grow too big, they become a challenge to maintain. Therefore having functions that do a lot of common tasks for you mitigates that issue. Paired with immutability, lots of code just becomes data passing through pipelines, giving less surface area for bugs and making everything more concise and declarative.