科技回声

10 条评论

kotxig将近 6 年前

While this is clearly a bug, the default publish strategy is to publish all the contents of the package including dev/test files. If you look at the node_modules tree on a typical server-side node project it's full of garbage files.We still think it's a great idea to pull down hundreds if not thousands of copies of modules from a remote every time we generate a build. The community has always been lacking maturity around how it manages modules and releases code for production, preferring to preserve developer productivity and trinket features over best security practices and optimizing for the size and quality of production packages.I don't want to install hundreds of modules every time I create a new build. I don't want your tests or your README in my production tarball. I don't want your browser compatibility code in my server code. I don't want my node_modules tree to be 9 layers deep. I don't want to have to dedupe multiple copies of modules by hand. I don't want to have to debug where shrinkwrap isn't respected. I don't want to play roulette with the package manager version to figure out which one does the right thing for my package. I don't want to run your dubious pre/post install scripts. I don't want to use npm.The sad thing is, npm is a commercial entity that has its package manager published by default with an opensource community project. And this is why we can't have nice things.

评论 #20304486 未加载

评论 #20302761 未加载

评论 #20303416 未加载

评论 #20303605 未加载

评论 #20307836 未加载

MehdiHK将近 6 年前

Probably relevant-This week's Node.js weekly [1] mentions: "Last week we mentioned the long awaited status of npm 6.9.1 and the possible ‘strike’ [2] in ongoing community work on the project, but npm’s Isaac Z. Schlueter has stepped up, got a release out"[1] <a href="https://nodeweekly.com/issues/294" rel="nofollow">https://nodeweekly.com/issues/294</a>[2] <a href="https://gist.github.com/aeschright/8ed09cbc2a4aee00fcb4ad35086d76a6" rel="nofollow">https://gist.github.com/aeschright/8ed09cbc2a4aee00fcb4ad350...</a>

评论 #20304416 未加载

_Marak_将近 6 年前

NPM still has bugs from v5 which haven't been addressed and are ignored by it's maintainers. Problems with `npm link` were never fixed. There is a discussion on the NPM tracker where the maintainers tell Substack that his ( very correct ) assessment of an issue was wrong and lock the thread.It's always the same usual suspects at NPM never accepting responsibility or blame for multiple incidents and ongoing quality issues.NPM is currently on it's last legs before acquisition or buyout.

评论 #20304522 未加载

评论 #20305271 未加载

评论 #20304836 未加载

gigatexal将近 6 年前

I think this probably happens more often in other package repositories than we hear about it’s just that NPM is gigantic and people like to hate on JavaScript.I’ve done stupid things too. I once committed the s3 keys to our public repo and had to explain why our s3 bill was so high. Never made that mistake again.

评论 #20302771 未加载

评论 #20303514 未加载

评论 #20303352 未加载

评论 #20302550 未加载

评论 #20302706 未加载

评论 #20305007 未加载

评论 #20302604 未加载

rolltiide将近 6 年前

The interesting thing about semi-decentralized technologies is that every issue seems like a clusterfuck but it actually gets fixed fairly quickly and nobody in the future has to think about it at all

评论 #20302412 未加载

Sahhaese将近 6 年前

I see it's been fixed by releasing 6.9.2.Does this mean you can now "brick" people's projects by sneaking npm@6.9.1 into their package.json?

评论 #20302557 未加载

评论 #20304003 未加载

z3t4将近 6 年前

These sort of bugs are hard to find with unit tests. But it's still easy to test, to make sure it never happen again. I think it's called integration tests. It can also be done with live testing, by checking all packages that lands on the public repository - if they include .git folder, passwords/keys, or other credentials.

mrolla将近 6 年前

Bug aside, it baffles me that it's a real person publishing rather than CI after tagging.

评论 #20302584 未加载

评论 #20304181 未加载

nullwasamistake将近 6 年前

Software this popular doesn't even run a test that installs, upgrades, then uninstalls before deployment? Isn't that the most important thing the software needs to be able to do? Does NPM test anything at all before they release? Another reason to switch to yarn.

评论 #20302359 未加载

评论 #20302308 未加载

评论 #20302769 未加载

评论 #20302273 未加载

评论 #20302456 未加载

mustardo将近 6 年前

Fuckit.JS to the rescue?<a href="https://github.com/mattdiamond/fuckitjs/blob/master/README.md" rel="nofollow">https://github.com/mattdiamond/fuckitjs/blob/master/README.m...</a>

10 条评论

kotxig将近 6 年前

评论 #20304486 未加载

评论 #20302761 未加载

评论 #20303416 未加载

评论 #20303605 未加载

评论 #20307836 未加载

MehdiHK将近 6 年前

评论 #20304416 未加载

_Marak_将近 6 年前

评论 #20304522 未加载

评论 #20305271 未加载

评论 #20304836 未加载

gigatexal将近 6 年前

评论 #20302771 未加载

评论 #20303514 未加载

评论 #20303352 未加载

评论 #20302550 未加载

评论 #20302706 未加载

评论 #20305007 未加载

评论 #20302604 未加载

rolltiide将近 6 年前

评论 #20302412 未加载

Sahhaese将近 6 年前

I see it's been fixed by releasing 6.9.2.Does this mean you can now "brick" people's projects by sneaking npm@6.9.1 into their package.json?

评论 #20302557 未加载

评论 #20304003 未加载

z3t4将近 6 年前

mrolla将近 6 年前

Bug aside, it baffles me that it's a real person publishing rather than CI after tagging.

评论 #20302584 未加载

评论 #20304181 未加载

nullwasamistake将近 6 年前

评论 #20302359 未加载

评论 #20302308 未加载

评论 #20302769 未加载

评论 #20302273 未加载

评论 #20302456 未加载

mustardo将近 6 年前

Fuckit.JS to the rescue?<a href="https://github.com/mattdiamond/fuckitjs/blob/master/README.md" rel="nofollow">https://github.com/mattdiamond/fuckitjs/blob/master/README.m...</a>

NPM 6.9.1 is broken due to .git folder in published tarball

10 条评论

NPM 6.9.1 is broken due to .git folder in published tarball

10 条评论