I hope that more packaging systems take the go modules approach and cryptographically and immutably identify their dependencies at time of addition to the project. This sort of breakage shouldn’t be possible.
This kind of breakage is perfectly possible in Go also - though the most common equivalent of "left-pad broke my project" for many Go developers is "X changed the case of their GitHub username and now all my import paths are broken".
If deps are immutable, then nothing anyone does in any other package (short of having the package repository take the code down) should be able to break your future builds.
> If deps are immutable, then nothing anyone does in any other package (short of having the package repository take the code down) should be able to break your future builds.
They are. You're only affected if you don't use a package-lock.json or start a new project (which will pull the latest versions of the dependencies).
I'm not a node expert but i believe the problem is that most people auto-update their node dependencies (I know I do, but I only have to do it rather rarely, since I don't primarily use node), because there are just so often minor security regressions that need to be fixed.
