But the much bigger plan is how to make sure we distribute it "fairly". Javascript has this big problem that it's ecosystem is messed up using thousands of tiny packages - the "left-pad" is gone, but there are many other very short packages which should not exist. If Github starts paying for each package name, things will get 100x worse - now every package will be split into hundreds of "micro-packages", as this will be an easy way to start printing money. This will make all the audits much harder, and future supply chain attacks easier.
to clarify if I understood correctly, because packages would be fragmented and hence more attack vector?
I like the spirit of article however,
1. Tracking every mention of a dependency and assigning value fairly is extremely hard: many packages are widely reused while many are tiny utility libs.
2. Usage in a file doesn’t reflect actual runtime usage. A repo might list a package but never import it.
Overall, solutions that align incentives, and maintain ecosystem neutrality are more likely to gain traction than a platform-wide mandated surcharge.
zahlman•1h ago