I was dealing with checked in dependencies in some private project with a few people who don't seem to be familiar with node very much.
It resulted in huge node_modules folder checked in (with binary deps because nobody cared), they weren't updated at all (and were outdated for like a year). And the worst thing is that when people find bugs in modules, they actually commit their change directly to node_modules!
After that we force pushed all dependencies out of git and swore never to repeat that again.
I'm not saying it's a bad idea, but in that case I strongly suggest to keep two separate git repositories. One for development (without node_modules and any generated files at all) and one for deployment.
20.12.2013, 03:07, "Richard Marr" <[email protected]>:
--
I completely agree that checking in dependencies is currently a sensible and pragmatic option for those concerned with consistency or security, but I disagree with anyone that thinks that we shouldn't be setting our sights a bit higher.
I don't want anyone to take this as a criticism, I've got immense respect for anyone who's contributed to node, npm, or any of the other packages I have the privilege to use... all I'm saying is that this one feature causes deep problems, and that I think there are other ways to address the problems it was designed to address.
On 19 December 2013 22:28, Mikeal Rogers <[email protected]> wrote:+1On Dec 18, 2013, at 12:41PM, Tim Caswell <[email protected]> wrote:If you want this level of static dependencies you can check in your deps into node_modules in your git tree or use git submodules in there. Git does guarantee that the thing you point to can't be changed because the hash *is* the hash of the content. If anything changes, the hash changes.On Wed, Dec 18, 2013 at 7:40 AM, Brian Lalor <[email protected]> wrote:On Dec 18, 2013, at 7:23 AM, Richard Marr <[email protected]> wrote:I'm working on an app where security is an issue, and among the (many) things that I'm frothingly paranoid about is the possibility of malicious (or more likely just untested) code somehow getting into our app, even though we're using shrink-wrapped versions. It means we'll have to be much more careful with the way we proxy the npm registry.I’d like to know this, as well. One of the guarantees made by the Maven central repository is that artifacts (packages) can check in, but they can never check out. I frankly don’t think NPM provides this type of assurance, but it should. Otherwise the only way an organization can trust packages is to run their own repository.--Brian Lalor--
--
Job Board: http://jobs.nodejs.org/
Posting guidelines: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines
You received this message because you are subscribed to the Google
Groups "nodejs" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/nodejs?hl=en?hl=en
---
You received this message because you are subscribed to the Google Groups "nodejs" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.--
--
Job Board: http://jobs.nodejs.org/
Posting guidelines: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines
You received this message because you are subscribed to the Google
Groups "nodejs" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/nodejs?hl=en?hl=en
---
You received this message because you are subscribed to the Google Groups "nodejs" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.--
--
Job Board: http://jobs.nodejs.org/
Posting guidelines: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines
You received this message because you are subscribed to the Google
Groups "nodejs" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/nodejs?hl=en?hl=en
---
You received this message because you are subscribed to the Google Groups "nodejs" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
--
Richard Marr--
--
Job Board: http://jobs.nodejs.org/
Posting guidelines: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines
You received this message because you are subscribed to the Google
Groups "nodejs" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/nodejs?hl=en?hl=en
---
You received this message because you are subscribed to the Google Groups "nodejs" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
--
Job Board: http://jobs.nodejs.org/
Posting guidelines: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines
You received this message because you are subscribed to the Google
Groups "nodejs" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/nodejs?hl=en?hl=en
---
You received this message because you are subscribed to the Google Groups "nodejs" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
