So basically, rely on about 5% of JavaScript (my copy of JavaScript: The Good Parts is looking slimmer every day) and hope that everything you’re either directly or transitively exposed to has exactly the same standards you do and will continue to do so in perpetuity, and/or build tons of additional scaffolding to try to sandbox violators, because that has always been such a sure fire path to secure code.
The language, and it’s ecosystem, is a baroque Gormenghast of curiosities built on an ancient sewer where nightmare beasts still roam, and you’ll never stop it stinking just by holing up in the throne room and hoping a few trusted paladins will decontaminate the rest.
We keep throwing new shit at the wall, eventually something sticks. To a whole generation of developers it might like like JavaScript is the One True Web Programming Language but anyone whose lived through a few transitions knows that we replace entrenched technologies on the scale of decades, it has come and it will go like everything else, sic transit gloria lingua.
The usual (but not universal) trigger is a technological arms race between three or more competing firms attached to a compelling new idea.
Not sure how a new language can help with an ecosystem problem. In the old days, people write your own code and relied on a vendor provided standard lib, for example C++ stdlib, Java platform or Python's batteries included. Since software is expensive, to save time and money people started to rely on 3rd party libraries, conveniently delivered by package repositories, for example CPAN, PyPI or npm. A new language will be subject to the exact same cost and delivery deadline pressures. If anything, newer languages tend to have ecosystems even more dependent of 3rd party modules. The PL problem is largely solved, the ecosystem problem is not.
I think the fragmented chaos of the JS ecosystem arises as much from the structure of the language as it does the dismal standard library.
That said, I don't buy that language vendors skimp on their standard library due to some marginal cost issue. Quite the opposite, commercial PLs like Go, Kotlin, Swift and the .NET CLI family come with extensive and often surprisingly well-considered standard libraries, and even open-source projects do better than JS (the standout being probably Elixir since it inherits Erlang/OTP). The idea that JS's ecosystem is the template for future languages seems unsound, which is thankfully a relief since it would also be so disheartening.
> chaos of the JS ecosystem arises as much from the structure of the language as it does[...]
Not really. It arises from Sturgeon's law and the matter of accessibility/popularity. The problems of "the JS ecosystem" (correctly stated: the problems with the NPM and its community) are the same problems that plagued Java 15 years ago. (On the other hand, Java at least attempted in its design to enforce good practices at the language level instead of giving everyone an empty canvas, which in the JS world has been considered to be an endorsement that one can and should go absolutely nuts.)
> Sturgeon's law is universal, and it doesn't explain differences in the distribution of the crap.
What differences in distribution? You're either not absorbing what I wrote, or what Sturgeon said, or some combination of both. Sturgeon was responding to the criticism that sci-fi as a genre is bad because of how much of it is crud. Sturgeon's retort was that "Ninety percent of everything is crud."
JS is incredibly accessible and, as a result, massively popular (just like Java). 90% of a large number is a large number.
> I put it to you that this is recognising that the structure of the language is significant in the emergent behaviours and consequences.
Have a reread. Java attempted to enforce good practices by language design. And yet, Java is the posterchild of the sentiment that goes, roughly, "Java sucks—after all just look at its programmers and the ecosystem is has produced". (I.e., the same thing people say about JS.) But Sturgeon's law is inescapable. Despite the attempt, the Java ecosystem looks like crud. Why? Because Java is extremely popular, and 90% of everything is crud, and 90% of a large number is a large number.
> The major browser vendors are all horrendously self-serving, for example.
They are. It has very little to do with the NPM mess. NodeJS and the browser are at odds, with NodeJS having forked the language. (Just look at modules: NodeJS has a known-bad, non-standard module system, and there was serious discussion about whether it would even ever support ECMAScript's standard modules.)
The language, and it’s ecosystem, is a baroque Gormenghast of curiosities built on an ancient sewer where nightmare beasts still roam, and you’ll never stop it stinking just by holing up in the throne room and hoping a few trusted paladins will decontaminate the rest.