No idea why. I think it would be reasonable for npm registry to allow unpublishing, but deny republishing an exactly the same version number afterwards. So if something needs to be republished, maintainer will be forced to change version number (or add a build number although it's now ignored by npm).
You can try to use caching npm registry, for example this one:
It wasn't specifically created for ensuring immutability, but it's a nice side effect. Once certain package (tarball) is cached there, all subsequent changes in npm registry will simply be ignored. This way I was able to detect changes in bson v0.2.3 deep inside our dependency tree, although nothing harmful was there.
Anyway, if you're thinking about security, I'd suggest to bring up another issue. Signed packages. Without them it's hard to rely even on your own published packages. Although I'm not quite sure how to implement this properly, I feel it really needs some attention.
18.12.2013, 16:23, "Richard Marr" <[email protected]>:
--I'm working on an app where security is an issue, and among the (many) things that I'm frothingly paranoid about is the possibility of malicious (or more likely just untested) code somehow getting into our app, even though we're using shrink-wrapped versions. It means we'll have to be much more careful with the way we proxy the npm registry.
This is probably a stupid/tired question, but why does npm allow mutable packages?As a secondary point, I would have thought immutable packages would allow for much better caching behaviour, so reduce load on the registry itself and speed up npm for everybody.
--
Richard Marr--
--
Job Board: http://jobs.nodejs.org/
Posting guidelines: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines
You received this message because you are subscribed to the Google
Groups "nodejs" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/nodejs?hl=en?hl=en
---
You received this message because you are subscribed to the Google Groups "nodejs" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
--
Job Board: http://jobs.nodejs.org/
Posting guidelines: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines
You received this message because you are subscribed to the Google
Groups "nodejs" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/nodejs?hl=en?hl=en
---
You received this message because you are subscribed to the Google Groups "nodejs" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
