> I get "trying to stay vanilla", but any reasonably-common snippet should either be installed from npm or published there.
And that's how you end up with the joke that was left-pad and the broken internet that resulted when the author yanked it.
Dependencies represent a real risk to your product. If it is actually a simple snippet, you shouldn't take that as an NPM dependency - the risk/reward ratio is just way out of whack with that.
NPM disallowed un-publishing modules within a few days of that incident. It's not a thing that happens any more. Also, NPM for years has defaulted to creating lockfiles with all the specific versions of dependencies pinned, so even if a dependency gets updated to have a bug, you will stay on the currently-pinned version unless you specifically change that.
But anyway whether or not the module is un-published doesn't really matter. The module could also just become malicious. Ownership changes, quality of code changes, etc... If you're pinning with lockfiles you're basically back to copy/pasting or checking in a clone of an upstream repo - the maintenance burden shifts back to you at that point. You still then have to manually go update, and remember to do that, or you become just as easily obsolete as the copy/pasted snippet.
And that's how you end up with the joke that was left-pad and the broken internet that resulted when the author yanked it.
Dependencies represent a real risk to your product. If it is actually a simple snippet, you shouldn't take that as an NPM dependency - the risk/reward ratio is just way out of whack with that.