In Capacitor docs (from ionic), npx is user everywhere https://capacitor.ionicframework.com/
El jueves, 16 de mayo de 2019, Jesse <purplecabb...@gmail.com> escribió: > I think there is a disconnect on the actual proposal here. > > Here's the pr again ( keep the discussion here please ) > https://github.com/apache/cordova-docs/pull/987/files > > The only real use of npx as a one-off command would be the call to create a > new app. ie. `npx cordova create dirname ...` > The instructions after that are to cd into the dir, and install cordova > locally. > All npx calls after that are run from inside a project folder and are just > the same as npm run commands, they access the binary exported in > node_modules/cordova > > That said, I do still think npx should be presented as an alternative, and > not necessarily the 'preferred' way. > > > > > > > On Wed, May 15, 2019 at 10:38 PM Dmitry Blotsky <dmitry.blot...@gmail.com> > wrote: > > > In terms of exposure, btw, npx is indeed strictly worse than npm install. > > It checks for dependencies, installs them, and runs them: all at every > call > > of a command. That is more frequent than how often anyone runs npm > install, > > and is more overhead than running a shell command directly. > > > > From a higher-up perspective though: every other software ecosystem gets > > by with just running commands in a shell. How is our situation so > > outlandish that the most time-tested tools don’t meet our command-running > > needs? > > > > Dmitry > > > > > On May 15, 2019, at 22:29, Dmitry Blotsky <dmitry.blot...@gmail.com> > > wrote: > > > > > > If it’s any convincing data: none of React Native, Ionic, Angular, > > Ember, Meteor, or Vue mention npx. > > > > > > They all recommend npm install -g or some variant using more mature > > tools. > > > > > > I agree that it would be a piece of cake for us to instruct people to > > install cordova for the local user, or to use per-project installs of > > cordova. These options are all still pretty convenient, and don’t incur > the > > security penalties of npx. > > > > > > Dmitry > > > > > >> On May 15, 2019, at 02:15, Jesse <purplecabb...@gmail.com> wrote: > > >> > > >> Given how contentious this has become, I think our best approach would > > be > > >> to continue with our global install expectation, and add documentation > > on > > >> a) what to do if you have issues with `npm i -g cordova` [1] > > >> b) document how to do local dependencies and use npx ( this might be a > > good > > >> blog post as well as permanent documentation ) > > >> > > >> Regarding some of the issues stated previously: > > >> > > >>>> Dmitry: 1. It is strictly less secure than the status quo, and all > > >> alternatives. .. > > >> The exposure to the user is no different than `npm install -g`, it is > > just > > >> harder to know exactly what is happening. > > >> > > >>>> Dmitry: 2. It is strictly less stable than a local installation ... > > >> Only the first `npx cordova create ...` will result in a fetch, > further > > >> uses of npx cordova will use the cached version, and can be done > > without a > > >> network connection. > > >> > > >>>> Darryl: Encouraging people to install Cordova globally causes issues > > >> when working on multiple projects ... > > >> Do we have a way of knowing how often this occurs? It sounds rare to > me. > > >> Regardless, there is no reason they can't go ahead install > > cordova@version > > >> as a dev dependency > > >> > > >> Personally, having read up on npx and done some basic tests, I am okay > > with > > >> it. However, I also don't feel we have to force it on everyone. > > >> We can suggest is as an alternative, and perhaps after we are all more > > >> comfortable with it, it can become the default. > > >> > > >> > > >> [1] > > >> > > https://docs.npmjs.com/resolving-eacces-permissions- > errors-when-installing-packages-globally > > >> > > >> > > >> > > >> > > >> On Tue, May 14, 2019 at 8:12 PM gandhi rajan <gandhiraja...@gmail.com > > > > >> wrote: > > >> > > >>> Hi Dmitry, > > >>> > > >>> I second you on this. > > >>> > > >>>> On Tuesday, May 14, 2019, Dmitry Blotsky <dmitry.blot...@gmail.com> > > wrote: > > >>>> > > >>>> I'm really glad this discussion lit up, because it clearly shows > that > > >>> this > > >>>> issue isn't settled. > > >>>> > > >>>> I personally have few opinions about the "best" solution here, but I > > >>>> firmly believe that npx is a non-starter for these 2 reasons: > > >>>> 1. It is strictly less secure than the status quo, and all > > alternatives. > > >>>> It is literally downloading code from hundreds of untrusted parties > > and > > >>>> immediately running it. It's worse than piping a curl command into > > bash > > >>> (at > > >>>> least you can check the curl command's URL, or checksum the > downloaded > > >>>> script). > > >>>> 2. It is strictly less stable than a local installation because now > > every > > >>>> call to Cordova goes through an opaque dependency. > > >>>> > > >>>> Unless both of those can be addressed, I think we shouldn't consider > > npx. > > >>>> > > >>>> Dmitry > > >>>> > > >>>>> On May 10, 2019, at 4:31 PM, Oliver Salzburg < > > >>> oliver.salzb...@gmail.com> > > >>>> wrote: > > >>>>> > > >>>>> Our DX is not good and this proposal would have the potential to > > have a > > >>>>> positive impact on that. I'm sorry that you're not convinced yet. > > >>>>> > > >>>>> Because I don't want to skip back and forth between GitHub and the > > >>>>> mailing list, I'll address your points here. > > >>>>> > > >>>>> - When you start a new project, unless you create a new cordova > > project > > >>>>> every week, you'll download cordova. npx will only help you in > > >>>>> downloading the package and if you have downloaded it in the past, > it > > >>>>> will be pulled from the cache. > > >>>>> > > >>>>> - Yes, the Cordova CLI behavior can change over time, which is > > exactly > > >>>>> why you would not want to share a single global version with all of > > >>> your > > >>>>> projects. I consider this a pro-local point. > > >>>>> > > >>>>> - It is 4 more characters to type. Yes. I give you that. But if you > > >>> want > > >>>>> to interact with a local installation of cordova, what exactly is > the > > >>>>> alternative? Not installing locally? I disagree. > > >>>>> > > >>>>> - Your suggestion regarding writing a completely new module to > > initiate > > >>>>> a cordova project is completely besides the point here. If you had > > that > > >>>>> module, you'd still want to use it with npx. And using `npx > cordova` > > >>>>> pulls cordova into the cache where you are going to want to have it > > >>>>> anyway. If you had a slimmed down module, you now still need to > > >>> download > > >>>>> cordova. > > >>>>> > > >>>>> By using npx, given your usage examples, you would have less > > downloads > > >>>>> instead of more. > > >>>>> > > >>>>> I'm sorry, Brody, I don't see your points and I don't feel like > they > > >>>>> have been weighed appropriately against the benefits I proposed > > >>> earlier. > > >>>>> > > >>>>> I would also appreciate it if we could try to keep the conversation > > to > > >>> a > > >>>>> single media. The split between mailing list and GitHub is not > > >>>> constructive. > > >>>>> > > >>>>> Almost like putting part of your application in a global context > and > > >>>>> another part in a local context is not constructive... > > >>>>> > > >>>>>> On 2019-05-10 23:08, Chris Brody wrote: > > >>>>>> I am very sorry to say that I am still not convinced about this > > idea. > > >>>>>> I just raised some concerns in a recent comment in: > > >>>>>> https://github.com/apache/cordova-docs/issues/838 > > >>>>>> > > >>>>>> And I think I am not the only one right now. > > >>>>>> > > >>>>>> As I said in cordova-docs#838, I would favor that we mention using > > >>>>>> `npx cordova` *as an option* in a limited number of places. > > >>>>>> > > >>>>>> I would like to express my appreciation to Oliver for the time and > > >>>>>> effort has given to improve the documentation, and to contribute a > > >>>>>> number of updates and fixes in the past. But I would rather take > the > > >>>>>> extra time and effort to ensure we keep up the best app DX we can. > > >>>>>> > > >>>>>> And I don't really follow what you mean about CORDOVA_CMDLINE, > would > > >>>>>> probably be easiest if we keep it in a separate discussion thread > or > > >>>>>> issue. > > >>>>>> > > >>>>>> On Fri, May 10, 2019 at 3:05 PM Oliver Salzburg > > >>>>>> <oliver.salzb...@gmail.com> wrote: > > >>>>>>> > > >>>>>>> I have already started working on a PR to make the necessary > > changes > > >>> to > > >>>>>>> the documentation, as I was under the impression that consensus > > >>>>>>> regarding this issue was already reached: > > >>>>>>> > > >>>>>>> https://github.com/apache/cordova-docs/pull/987 > > >>>>>>> > > >>>>>>> Specifically this might be of interest: > > >>>>>>> > > >>>>>>> https://github.com/apache/cordova-docs/blob/ > > >>>> 04363c2796199f5379fa2b5f000099ac8b1a488a/www/docs/en/dev/ > > >>>> guide/cli/index.md > > >>>>>>> > > >>>>>>> I believe installing the cordova dependency as a devDependency > > should > > >>>> be > > >>>>>>> part of the "create" task. I was planning to propose the > necessary > > >>>>>>> changes in another PR, but the freshly ignited debate caused me > to > > >>> hold > > >>>>>>> on that. > > >>>>>>> > > >>>>>>> I also brought up another area of concern regarding > CORDOVA_CMDLINE > > >>> in > > >>>>>>> hooks. I mentioned this in the PR. > > >>>>>>> > > >>>>>>> > > >>>>>>>> On 2019-05-10 20:42, Jesse wrote: > > >>>>>>>> Also thanks for the comprehensive write-up Oliver! > > >>>>>>>> > > >>>>>>>> Yeah, I am good with a move to recommend npx. > > >>>>>>>> I just ran thru the steps and everything seems to work fine with > > it. > > >>>>>>>> > > >>>>>>>> One other reservation I had was just about network usage, and > > being > > >>>>>>>> sensitive to places where bandwidth during the day is extremely > > >>>> costly. I > > >>>>>>>> verified that having previously installed platforms android+ios > in > > >>>> other > > >>>>>>>> projects, I was able to `npx cordova platform add android` with > > the > > >>>> network > > >>>>>>>> off and it used a cached version. > > >>>>>>>> > > >>>>>>>> Are our new getting started steps going to be this ?: > > >>>>>>>> ``` > > >>>>>>>> npx cordova create myNewCordovaApp > > >>>>>>>> cd myNewCordovaApp > > >>>>>>>> npm i cordova --save-dev > > >>>>>>>> npx cordova platform add android > > >>>>>>>> npx cordova run android > > >>>>>>>> ``` > > >>>>>>>> > > >>>>>>>> I believe we may also find some issues around cordova-lib having > > >>>>>>>> expectations of number of args and how it outputs some error > > >>>> messages, but > > >>>>>>>> hopefully tests will reveal those. > > >>>>>>>> > > >>>>>>>> Cheers, > > >>>>>>>> Jesse > > >>>>>>>> > > >>>>>>>> > > >>>>>>>>> On Fri, May 10, 2019 at 2:46 AM <raphine...@gmail.com> wrote: > > >>>>>>>>> > > >>>>>>>>> Thanks for that structured write-up, Oliver. You saved me from > > >>>> writing all > > >>>>>>>>> of that myself. > > >>>>>>>>> > > >>>>>>>>> +100 on all those points > > >>>>>>>>> > > >>>>>>>>> Oliver Salzburg <oliver.salzb...@gmail.com> schrieb am Fr., > 10. > > >>> Mai > > >>>> 2019, > > >>>>>>>>> 11:01: > > >>>>>>>>> > > >>>>>>>>>> I don't see how third-party tools like nvm or nvm-windows > play a > > >>>> role in > > >>>>>>>>>> this. If those tools have defects, so be it, but that > shouldn't > > >>>> steer a > > >>>>>>>>>> decision when the tools in question ship with the official > tools > > >>>> that we > > >>>>>>>>>> use (NodeJS). > > >>>>>>>>>> This holds especially true if the issues have already been > > fixed. > > >>>>>>>>>> > > >>>>>>>>>> That being said, it seems like part of this discussion is > > already > > >>>> going > > >>>>>>>>>> into a direction of local vs. global Cordova install, which I > > >>> didn't > > >>>>>>>>>> even think was up for debate anymore. What was up for debate > > last > > >>>> night, > > >>>>>>>>>> was how to interact with local Cordova installs. > > >>>>>>>>>> > > >>>>>>>>>> However, let me reiterate all points regarding the entire > issue: > > >>>>>>>>>> > > >>>>>>>>>> 1. A global Cordova installation is a huge issue in itself, as > > >>>>>>>>>> components in Cordova interact with each other in a way that > > >>>> sometimes > > >>>>>>>>>> the global components are used and sometimes the local > > components. > > >>>> This > > >>>>>>>>>> happens during runs of individual tasks, like "prepare", where > > >>> both > > >>>> the > > >>>>>>>>>> local and the global cordova-common are loaded for example. > > >>>>>>>>>> This issue would easily be avoided by placing Cordova itself > > >>>> locally in > > >>>>>>>>>> the project. It allows a per-project Cordova version, which is > > >>>>>>>>>> controlled through the package.json, like any other Cordova > > >>>> component. > > >>>>>>>>>> Having your core component global is a horrible design and > many > > >>>> other > > >>>>>>>>>> projects have already realized this years ago and adjusted > > >>>> accordingly. > > >>>>>>>>>> Think gulp-cli, babel-cli, ... > > >>>>>>>>>> > > >>>>>>>>>> The current approach leads to extremely hard to debug issues > > and, > > >>>>>>>>>> ultimately, developer frustration. > > >>>>>>>>>> > > >>>>>>>>>> 2. Interacting with a local dependency that has a binary > > >>> entrypoint > > >>>> in > > >>>>>>>>>> node_modules/.bin is exactly what npx was made for. It is > > already > > >>>>>>>>>> established as a tool in the NodeJS world and many other > > projects > > >>>> make > > >>>>>>>>>> use of it in the manner we're suggesting. > > >>>>>>>>>> https://reactjs.org/docs/create-a-new-react-app.html > > >>>>>>>>>> https://babeljs.io/docs/en/babel-cli > > >>>>>>>>>> https://gulpjs.com/docs/en/getting-started/quick-start > > >>>>>>>>>> > > >>>>>>>>>> There needs to be a very good reason to avoid adapting a well > > >>>>>>>>>> established approach in the environment you're working in. > I'll > > >>> get > > >>>> to > > >>>>>>>>>> that. > > >>>>>>>>>> > > >>>>>>>>>> 3. Suggesting npx as a way to interact with the Cordova CLI > not > > >>> only > > >>>>>>>>>> serves the purpose of invoking the node_module/.bin > entrypoint, > > >>> but > > >>>> it > > >>>>>>>>>> will also already work to create a new project when cordova > > isn't > > >>>> even > > >>>>>>>>>> installed. This reduces the barrier of entry and establishes a > > way > > >>>> to > > >>>>>>>>>> interact with Cordova that will always work. > > >>>>>>>>>> > > >>>>>>>>>> It is extremely convenient and developers want convenience. If > > >>>> there is > > >>>>>>>>>> one thing we don't need in Cordova, then it is to > overcomplicate > > >>>> things, > > >>>>>>>>>> frustrate developers and drive them away. > > >>>>>>>>>> > > >>>>>>>>>> 4. That being said, convenience comes at a price and Dmitry > has > > >>>> outlined > > >>>>>>>>>> the issues that come with npx very well last night on Slack. I > > >>> agree > > >>>>>>>>>> with his points and they are also my own, but I feel the > > benefits > > >>>>>>>>>> massively outweigh these risks. > > >>>>>>>>>> > > >>>>>>>>>> npx downloads packages that aren't available locally and > > executes > > >>>> them. > > >>>>>>>>>> This is by-design and a feature I mentioned earlier. It also > > opens > > >>>> the > > >>>>>>>>>> door for a myriad of security issues, as it has the potential > to > > >>> run > > >>>>>>>>>> unwanted code with every single execution of `npx cordova`. > > >>>>>>>>>> You just have to type `npx cordoa` once, and suddenly you get > a > > >>>>>>>>>> typosquatted package from someone that sends off local data to > > the > > >>>>>>>>>> cloud. As a matter of fact, I published the package "rebecca" > > >>> years > > >>>> ago > > >>>>>>>>>> to illustrate exactly this point. Try `npx rebecca` to see > what > > I > > >>>> mean. > > >>>>>>>>>> While you can run npx with --no-install to avoid this, this > > would > > >>>> ruin > > >>>>>>>>>> any convenience we're trying to establish here. > > >>>>>>>>>> > > >>>>>>>>>> npx also adds another layer of complexity. You need an > > additional > > >>>> Node > > >>>>>>>>>> process to even locate the entrypoint you want to invoke, > check > > if > > >>>>>>>>>> downloads need to be made and so on. This would happen every > > >>> single > > >>>> time > > >>>>>>>>>> you invoke the Cordova CLI. I consider this a minor issue, but > > it > > >>>> is an > > >>>>>>>>>> issue nonetheless. > > >>>>>>>>>> > > >>>>>>>>>> > > >>>>>>>>>> With those points in mind, nobody is forced to use Cordova in > > the > > >>>> way we > > >>>>>>>>>> suggest in the docs. I can already install Cordova locally and > > use > > >>>> it > > >>>>>>>>>> with npx if I want to. Users who prefer a global installation > of > > >>>> Cordova > > >>>>>>>>>> to avoid the above mentioned issues, are still free to do so > and > > >>>> they > > >>>>>>>>>> should find instructions on how to set that up in the > > >>> documentation. > > >>>>>>>>>> > > >>>>>>>>>> This is about suggesting to users a way to get started with > > >>> Cordova > > >>>> with > > >>>>>>>>>> as little friction as possible and npx achieves this extremely > > >>> well > > >>>> and > > >>>>>>>>>> leaves us with a far better project structure by default. > > >>>>>>>>>> > > >>>>>>>>>>> On 10/05/2019 10:06, Jan Piotrowski wrote: > > >>>>>>>>>>> While that is correct, nvm-windows indeed had problems with > npx > > >>> not > > >>>>>>>>>>> working after it was first added to node - so Julio's was > > indeed > > >>>> true > > >>>>>>>>>>> in the past. > > >>>>>>>>>>> Luckily it was fixed, so even we lowly Windows users now can > > use > > >>>> npx. > > >>>>>>>>>>> > > >>>>>>>>>>> Am Fr., 10. Mai 2019 um 09:48 Uhr schrieb Oliver Salzburg > > >>>>>>>>>>> <oliver.salzb...@gmail.com>: > > >>>>>>>>>>>> npx ships with Node. > > >>>>>>>>>>>> > > >>>>>>>>>>>> On Fri, May 10, 2019, 00:33 Jesse <purplecabb...@gmail.com> > > >>>> wrote: > > >>>>>>>>>>>> > > >>>>>>>>>>>>> Hello Dmitry, > > >>>>>>>>>>>>> > > >>>>>>>>>>>>> In my mind, cordova-cli is intended to be installed > globally, > > >>> in > > >>>>>>>>>> situations > > >>>>>>>>>>>>> where that is not is possible we could *maybe* recommend > that > > >>>> users > > >>>>>>>>> use > > >>>>>>>>>>>>> npx, but I don't think it's a great experience. btw, npx > > needs > > >>>> to be > > >>>>>>>>>>>>> globally installed ... so ok!? > > >>>>>>>>>>>>> This is really just a symptom of a bad node setup, and > would > > >>>> never > > >>>>>>>>>> happen > > >>>>>>>>>>>>> if using nvm or similar node switcher. > > >>>>>>>>>>>>> > > >>>>>>>>>>>>> The issue raised in that thread appears to be simply > related > > to > > >>>> where > > >>>>>>>>>>>>> config stores its data, specifically opt in/out of > telemetry. > > >>>>>>>>>>>>> > > >>>>>>>>>>>>> > > >>>>>>>>>>>>> > > >>>>>>>>>>>>> > > >>>>>>>>>>>>> On Thu, May 9, 2019 at 2:45 PM Dmitry Blotsky < > > >>>>>>>>>> dmitry.blot...@gmail.com> > > >>>>>>>>>>>>> wrote: > > >>>>>>>>>>>>> > > >>>>>>>>>>>>>> Hi all, > > >>>>>>>>>>>>>> > > >>>>>>>>>>>>>> It’s been a while. :) I hope you’re all doing well. > > >>>>>>>>>>>>>> > > >>>>>>>>>>>>>> I’m writing to start some mailing list discussion about > this > > >>>> GitHub > > >>>>>>>>>>>>> issue: > > >>>>>>>>>>>>>> https://github.com/apache/cordova-docs/issues/838. > > >>>>>>>>>>>>>> > > >>>>>>>>>>>>>> Please say if we should continue talking there, and we can > > do > > >>>> that > > >>>>>>>>>>>>> instead. > > >>>>>>>>>>>>>> If not, let’s continue here. > > >>>>>>>>>>>>>> > > >>>>>>>>>>>>>> It sounds like we’ve got a request to run Cordova without > a > > >>>> global > > >>>>>>>>>> sudo > > >>>>>>>>>>>>>> install. What are the ways you all can think of to achieve > > >>> this? > > >>>>>>>>>>>>>> > > >>>>>>>>>>>>>> Dmitry > > >>>>>>>>>>> ------------------------------------------------------------ > > >>>> --------- > > >>>>>>>>>>> To unsubscribe, e-mail: dev-unsubscr...@cordova.apache.org > > >>>>>>>>>>> For additional commands, e-mail: dev-h...@cordova.apache.org > > >>>>>>>>>>> > > >>>>>>>>>> > > >>>>>>>>>> ------------------------------------------------------------ > > >>>> --------- > > >>>>>>>>>> To unsubscribe, e-mail: dev-unsubscr...@cordova.apache.org > > >>>>>>>>>> For additional commands, e-mail: dev-h...@cordova.apache.org > > >>>>>>>>>> > > >>>>>>>>>> > > >>>>>>>>> > > >>>>>>>> > > >>>>>>> > > >>>>>>> > > >>>>>>> > > --------------------------------------------------------------------- > > >>>>>>> To unsubscribe, e-mail: dev-unsubscr...@cordova.apache.org > > >>>>>>> For additional commands, e-mail: dev-h...@cordova.apache.org > > >>>>>>> > > >>>>>> > > >>>>>> > > --------------------------------------------------------------------- > > >>>>>> To unsubscribe, e-mail: dev-unsubscr...@cordova.apache.org > > >>>>>> For additional commands, e-mail: dev-h...@cordova.apache.org > > >>>>>> > > >>>>> > > >>>>> > > >>>>> ------------------------------------------------------------ > --------- > > >>>>> To unsubscribe, e-mail: dev-unsubscr...@cordova.apache.org > > >>>>> For additional commands, e-mail: dev-h...@cordova.apache.org > > >>>>> > > >>>> > > >>>> > > >>> > > >>> -- > > >>> Regards, > > >>> Gandhi > > >>> > > >>> "The best way to find urself is to lose urself in the service of > others > > >>> !!!" > > >>> > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: dev-unsubscr...@cordova.apache.org > > For additional commands, e-mail: dev-h...@cordova.apache.org > > > > >
