On Thu, Jun 28, 2012 at 9:12 PM, Isaac Schlueter <[email protected]> wrote:
> > So what happens then > > when someone on 0.6.15 tried to install my library. Will it throw an > error, > > or will it load the previously published version that had the >=0.6.0 > > constraint and the nasty security hole? > > Today, if you didn't remove the older version, then they'll get the > old version of vfs-local. With this change, they'll get the new > version of vfs-local, and see a warning that their node version needs > to be upgraded. > > If you did unpublish, then before this change, they'd get an ENOTSUP > (and probably run with --force, and get no warning or error.) With > the change, they'd get the warning. > > Seems to me like actually a slightly better outcome in both cases. > Seems to me like a bloody awful outcome. So you're saying now that if we find a security issue in an earlier version of node or our libraries, that we have to unpublish all older versions, or just hope that upon install (which npm can often have a lot of output) we have to watch for some warning message, or we get some massive security hole? I ask again, what's wrong with: try the latest version. If engines doesn't match, FAIL HARD. Unless they use --force. Stop trying to backtrack to an earlier version. Matt. -- Job Board: http://jobs.nodejs.org/ Posting guidelines: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines You received this message because you are subscribed to the Google Groups "nodejs" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/nodejs?hl=en?hl=en
