A little over a week ago there was a major compromise in security as a result of a social engineering attack. You can read more about it in the npm blog post about it. This kind of attack has always been a source of anxiety for developers working in the Node ecosystem. I can’t think of any project I’ve worked on in Node that didn’t involve installing something using npm. In some cases, like for my Dream Stream app, the dependencies are mercifully brief (Express, Express-Handlebars, Request, and Body-Parser). Unfortunately a much more common scenario is to have a npm_modules folder that contains hundreds of subdirectories. If you create a fresh Angular or React project, you’ll notice that your project folder is already over 100MB in size thanks to all the various dependencies involved. The idea that anyone might be able to review and monitor all these dependencies is far outside the realm of what is possible.

This leaves developers with two awful choices: swear off using external tools in development, or take your chances and hope for the best. And since the first choice would put anyone at a huge competitive disadvantage in the marketplace this means of course that in practice there is only one awful choice: everyone has been forced to take their chances and hope the libraries they use are not made vulnerable by malicious actors.

Is there a way out of this scenario? Personally, I can see only one other alternative. From my perspective this looks like a marketplace failure. There are codebases that are valuable enough to people that they are worth using because they shorten development time with useful abstractions. The problem is that in many instances maintenance of a codebase isn’t worth the effort for the original developer. And a lack of maintenance exposes that codebase to security threats. If there were better mechanisms for paying developers to maintain a codebase, that would reduce the potential risks, and also send useful signals for developers to understand how valuable their work is for their peers. Imagine a system somewhat like royalties for musicians, where an agency was responsible for collecting fees from developers using open-source libraries, and distributing those fees appropriately.

Unfortunately such a solution would still face incredibly challenging implementation details. You would need figure out the right amount of money that would need to be involved. If you charge and reward too little, then it still won’t be worth a developer’s time to maintain a codebase, and nothing gets solved. On the other hand if you charge too much then you create too much of a disincentive to using open-source code. Things are further complicated by uneven distributions for costs of living, purchasing power parity, etc. So that means what is the right price point for one area of the world won’t be for others. Nonetheless, these are details that can be adjusted for and figured out over time. The alternative is the status quo.