Jeff Johnson (My apps, PayPal.Me)

Mac OS X analogue for Node.js?

December 13 2022

One thing I loved about Mac OS X was that Apple took responsibility for curating, installing, and updating Unix libraries and tools. I say Mac OS X rather than macOS because sadly, in recent years Apple has removed many parts of the Unix foundation from the Mac and also shirked its responsibility to update the remaining Unix components (see for example my previous blog post macOS Monterey still vulnerable to CVE-2022-40303). The glory days when Mac OS X was (IMO) actually the best version of Unix in the world are long over. This blog post isn't about Mac OS X, though, it's about Node.js, the JavaScript runtime environment. As a web browser extension developer, I write a lot of JavaScript, so I have an obvious interest in Node.js. The default package manager for Node.js is npm. I've had to use Node.js and npm before for some third-party projects, but I don't currently use them for my own software. Why not? Frankly, I'm scared of Node packages.

From Wikipedia:

Over 1.3 million packages are available in the main npm registry. The registry does not have any vetting process for submission, which means that packages found there can potentially be low quality, insecure, or malicious. Instead, npm relies on user reports to take down packages if they violate policies by being low quality, insecure, or malicious.


I'm interested in using Node.js for several reasons, but to me the tradeoffs aren't worth it. I don't want to risk compromising my Mac, which hosts critical business and personal data. The npm registry is simply not trustworthy.

I would love it if some entity took responsibility for curating, installing, and updating Node packages, much like Apple did for Unix components. In other words, I want a Mac OS X analogue for Node.js. (To be clear, I don't want an App Store analogue for Node.js. The crApp Store is full of scams. It's worse and less trustworthy than the npm registry. The crApp Store is not truly curated. Not in the way that Mac OS X was.)

Perhaps something like this for Node.js already exists? I'm not aware of anything, but I'm certainly not a Node expert. If a curated package manager does exist, please let me know! Otherwise, I hope that something like this comes into existence soon. It feels like a business opportunity. I for one would pay for it. (I would pay for macOS too again, if Apple put the care into it that they did in the past.)

Jeff Johnson (My apps, PayPal.Me)