> Shrinkwrap files only lock down package versions, not actual package contents.
It's easily mitigated by using private/caching repository server that doesn't allow subsequent tarballs to replace cached ones. Having such server is highly recommended anyway because npmjs could be down when you're deploying. Besides, if you don't trust package's maintainer to not do stupid things (like republishing), why do you even use that package? On Friday, November 15, 2013 2:42:54 PM UTC+4, ajlopez wrote: > > I have no experience in big production deploys, but I see other teams > using: > > https://npmjs.org/doc/shrinkwrap.html > > But > Caveats > > Shrinkwrap files only lock down package versions, not actual package > contents. While discouraged, a package author can republish an existing > version of a package, causing shrinkwrapped packages using that version to > pick up different code than they were before. If you want to avoid any risk > that a byzantine author replaces a package you're using with code that > breaks your application, you could modify the shrinkwrap file to use git > URL references rather than version numbers so that npm always fetches all > packages from git. > > If you wish to lock down the specific bytes included in a package, for > example to have 100% confidence in being able to reproduce a deployment or > build, then you ought to check your dependencies into source control, or > pursue some other mechanism that can verify contents rather than versions. > > There was a discussion(s) in this list about deploying directly the > node_modules directory in some cases. I have no link now > > Angel "Java" Lopez > @ajlopez > > > > > On Fri, Nov 15, 2013 at 7:09 AM, Stefan Klein <[email protected]<javascript:> > > wrote: > >> Hi List, >> >> in a "normal" webapplication you can always use either the process ID or >> a thread ID to identify all logentries for one request. >> >> Of course this doesn't work in nodejs. >> Are there any options to identify a call stack? >> >> How do you correlate log messages of modules/submodules to the incoming >> request? >> >> Thanks, >> Stefan >> >> -- >> -- >> Job Board: http://jobs.nodejs.org/ >> Posting guidelines: >> https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines >> You received this message because you are subscribed to the Google >> Groups "nodejs" group. >> To post to this group, send email to [email protected]<javascript:> >> To unsubscribe from this group, send email to >> [email protected] <javascript:> >> For more options, visit this group at >> http://groups.google.com/group/nodejs?hl=en?hl=en >> >> --- >> You received this message because you are subscribed to the Google Groups >> "nodejs" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] <javascript:>. >> For more options, visit https://groups.google.com/groups/opt_out. >> > > -- -- Job Board: http://jobs.nodejs.org/ Posting guidelines: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines You received this message because you are subscribed to the Google Groups "nodejs" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/nodejs?hl=en?hl=en --- You received this message because you are subscribed to the Google Groups "nodejs" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
