Let’s be real: JavaScript package installation hasn’t fundamentally changed since 2014. We just stacked tools on top of the same old foundation.
node_modules is still a black hole, only faster depending on your PM.
Same idea, same problems, same blind trust.
The bigger issue isn’t npm or pnpm themselves.
It’s that we still have no real visibility into what we install.
Registries today are black boxes:
you can’t see a real file-tree
there’s no true version diff
metadata is minimal and inconsistent
no clear runtime compatibility (Node/Bun/Deno/Workers)
export-maps break unpredictably
packages can change massively between versions and you only find out later
Everyone keeps arguing “pnpm is faster”, “npm is stable”, “bun is aggressive” — but it’s all the same model.
The ecosystem has normalized no inspection.
We install millions of packages blindly.
That’s not engineering.
That’s hope.
I’m building something to fix this, but the discussion is bigger than my project.
Why did such a huge ecosystem never prioritize transparency?
Curious to hear honest thoughts.
Top comments (0)