A Better Future for JavaScript That Won't Happen - Eric Roe

A critique arguing that despite the largest supply-chain attack in history, the JavaScript ecosystem won't fix its fundamental dependency management flaws.

The Moment That Could Have Been

In the aftermath of the largest supply-chain attack in history, the JavaScript community had an opportunity for fundamental change. After compromised developers re-provisioned workstations and rotated keys, the ecosystem could have addressed the structural flaws that enabled the attack.

For years, warnings echoed that JavaScript's dependency management approach was reckless, dangerous, and broken by design. This could have been the moment for a course correction.

What a Better Future Could Look Like

Real Standard Library

Google and Mozilla, as leaders in JavaScript standards and implementations, could develop a genuine standard library that makes micro-dependencies like left-pad obsolete. This could combine with consolidation efforts - merging micro-libraries into larger packages with coherent scope and purpose, while pruning dependency trees.

Next-Generation Package Management

npm (ultimately GitHub, ultimately Microsoft with a $3 trillion market cap) could acknowledge its broken design and fund development of next-generation package management for JavaScript. This could incorporate proven practices from Linux distributions, which rarely suffer these attacks:

De-coupling Development from Distribution: Separating development from packaging and distribution through established package maintainers who assemble and distribute curated software collections

Security Infrastructure: Universal signatures for executable code packages, smaller channels and webs of trust, reproducible builds, and other straightforward techniques used by responsible package managers

Cross-Ecosystem Learning

Other languages with similar broken dependency models - Cargo, PyPI, RubyGems - could observe this incident and recognize that the same crisis looms in their future. They could change course before the inevitable occurs.

Corporate Commitment

Large corporations profiting from this massive pile of recklessly organized software could commit resources through:

Engineering teams dedicated to fixing these problems
Collaborative standards establishment and implementation
Direct funding of dependencies
Distribution through institutions like NLNet

This could usher in an era of responsible, sustainable, and secure software development.

The Actual Future

This better future won't happen. The actual future will be more of the same.

Symbolic Gestures Expected:

Mandatory 2FA rolled out in more places
Big players writing off meager donations for "OSS security and resilience" in marketing budgets

The Lesson: No one will learn. This pattern has repeated for decades without meaningful change. This represents the defining hubris of this generation of software development.

The Core Critique

The fundamental problems remain:

Sprawling dependency trees of micro-libraries
Lack of trust-based software distribution
Absence of proven dependency management practices
No separation between development and packaging
Missing security infrastructure (signatures, reproducible builds)

Despite decades of research and innovation in dependency management systems, and despite catastrophic supply-chain attacks, the JavaScript ecosystem continues unchanged. The urgency is understood intellectually but not acted upon structurally.

The Uncomfortable Truth

The JavaScript community had the resources, knowledge, and motivation to fix these problems. Major corporations with trillion-dollar market caps depend on this ecosystem. The solutions exist and are proven in other contexts. But systemic change requires overcoming inertia, economic incentives, and the comfort of familiar broken systems.

The attack was a wake-up call that will be ignored, continuing a pattern of preventable security failures enabled by fundamentally flawed architecture.