Can someone explain the advantage of this? If I want S3 access, I can just use N...

pier25 · 2025-06-11T14:13:27 1749651207

Would you rather use an officially maintained solution or some random package by a random author who might abandon the project (or worse)?

greener_grass · 2025-06-11T14:29:24 1749652164

The S3 packages on NPM are maintained by AWS

pier25 · 2025-06-11T14:52:34 1749653554

Indeed but I was arguing about a general point.

I'd be surprised if any of your Node projects had less than 100 total deps of which a large number will be maintained by a single person.

See Express for example. 66 total deps with 26 deps relying on a single maintainer.

https://npmgraph.js.org/?q=express

But even in the case of the official aws-sdk they recently deprecated v2. I now need to update all my not-so-old Node projects to work with the newer version. Probably wouldn't have happened if I had used Bun's S3 client.

greener_grass · 2025-06-11T16:35:35 1749659735

So let's put every package under the sun into the client?

This approach does not scale. We should make NPM better.

pier25 · 2025-06-11T18:02:34 1749664954

How do you make NPM better?

BTW I'm not saying we should kill NPM. What I'm saying is we should reduce our dependance on random packages.

Bun doesn't need to add everything into the core engine. Eg: when using .NET you still add plenty of official Microsoft dependencies from Nuget.

greener_grass · 2025-06-12T16:07:17 1749744437

- NPM could migrate to reproducible builds of artefacts

- Trust could be opt-in by default

- Dependency installation could be made fully reproducible