Can the NPM fiasco happen to Magento 2?
It's not that bad. composer show -it shows a huge tree, but if you leave out the repositories hosted by Magento itself and the PHP extension requirements, the external requirements are:
Composer itself
Frameworks
- Zend Framework
- Symfony
Others
- braintree/braintree_php
- justinrainbow/json-schema
- seld/jsonlint
- monolog/monolog
- psr/log
- oyejorge/less.php
- pelago/emogrifier
- phpseclib/phpseclib
- tedivm/jshrink
- tubalmartin/cssmin
The big frameworks are not going to go away any time soon and other than in the node.js world, there is no trend to depend on countless micropackages, so that the removal of one unremarkable package breaks many applications and frameworks. The Zend Framework has no external dependencies at all and symfony only a few (listed above).
But the question is still valid:
What if one of those external resources gets removed by the author and in case of possible harm, what can we do to prevent that ?
I don't know if Magento has anything like that in place, but if you want to insure yourself from this situation, you can always use Toran Proxy Private Packagist to maintain your own mirror of packages from packagist, github etc.
it's definetely possible. If they are not already doing it, Magento could mirror all needed Packages on repo.magento.com.
Although not sure what's the legal situation here