NPM needs a msg displayed in bold on every command that says “these packages may vanish at any time and may not even be what you’re expecting”. I think package managers presenting all packages as equally supported and vetted is part of the problem.
There is an unseen alignment of incentives. The typical FOSS dev community wants its project to be taken seriously. They anticipate competition with other FOSS projects which are commercially backed in many cases.
And "So-and-so Corp. couldn't do it without us" often proves a high standard of being taken seriously.
Examples of that (I think I saw a few earlier today) are all over the place, even here on HN.
The messaging idea is interesting but I wonder how wording like "may vanish at any time" would play into these software community goals of gaining qualitative legitimacy in the face of de facto intra-FOSS-world competition. It seems like a more creative method might be ideal.
But this is mostly true if commercial adoption is seen as a goal, and many projects make it clear that they 1) don't gaf about that and 2) are ready to negotiate a higher standard if the negotiated outcome suits their yet-to-be-communicated needs.
That's also not a very inviting model and it perpetuates a sort of harsh dichotomy around the issue of reliability and support in those cases.
It's really unfortunate because this dichotomy also makes FOSS seem less reliable from the business perspective on the outside, which isn't necessarily desired either.
Most places I know that did node shit pulled their dependencies from an in-house Artifactory instance. Means no exotic libs -- or upgrades -- until you can get the new library or latest version vetted, at least in principle.
