Hello List and Sander,

It's nice to see the all good work done to keep up with the node.js
enchilada. I have a few questions about what this means for packages in
the nixpkgs collection.

1. Should pkgs/top-level/node-packages.{nix,json} be removed now?

2. Because I would like to update bower2nix from 3.0.1 -> 3.1.0, I run

   (I noticed that this script could include the special nix-shell
   shebang to ensure node2nix is available when running the script).

   Is it possible/desirable to limit version changes to just bower2nix
   and maybe its direct dependencies -- to minimize possible disruption
   to other nodePackages. This whole topic is a can of worms of course.

3. I "maintain" another node.js package -- pump.io -- which I'm unsure
   what to do with. I was probably too eager to PR this into the nixpkgs
   collection in the first place.

   It recently had a 1.0.0 release which contains security-relevant

   If I update to 1.0.0 it means dumping another 112K of fluff into our
   git repo. This might be OK if it were for a decent language's package
   system, or if the software had lots of users.

   I think the best course of action is to remove the pump.io module and
   package from the main nixpkgs collection. Then maybe put it back when
   it's possible to generate derivations directly from a shrinkwrap.json.


nix-dev mailing list

Reply via email to