Well okay, just one silly argument. How will these people know that they're doing the wrong thing if nothing will ever break? :)
20.12.2013, 03:42, "Mikeal Rogers" <[email protected]>:
--First off, if someone version locks they are already doing the wrong thing. Saying "make my package ignore bugfix releases" is almost always the wrong thing. In this case it's better to keep their package working for them since they clearly don't know what they're doing.If they **really** didn't want any changes coming in that they didn't know about then they had two other options that would still work: 1) check the module in to git if they are deploying at app or shrinkwrap publish if it's not something being deployed 2) stick the md5 in package json to ensure nobody can give them another tarball for the same version.We have to deal with what people are doing in practice when they don't necessarily understand the best practice and it's especially important when you maintain a common dependency to do what you can to keep everyone who relies on you working even when they don't do things correctly.-MikealOn Dec 19, 2013, at 3:12PM, Alex Kocharin <[email protected]> wrote:Suppose somebody made a conscious choice to rely on your package version 1.2.3. If they wanted to receive updates, they would've specify ~1.2.3, and receive your 1.2.4 with a bugfix. But they don't even though npm specify "~" syntax by default. Why do you suggest to replace 1.2.3 (if it's broken or something) with a different version dependent explicitly didn't want to see installed?20.12.2013, 03:03, "Mikeal Rogers" <[email protected]>:In the real world it's just better to have your dependents not fail to install, you can't actually rely on the maintainers doing another publish after you break them. In the end, the less packages that fail to install from npm the better and whatever solution results in the least number of un-installable packages sitting in the registry is the one we should go with.-MikealOn Dec 19, 2013, at 2:59PM, Alex Kocharin <[email protected]> wrote:Why is it a bad thing?If someone wants to receive your update, he'll specify a version range and an update will be installed automatically.If someone want to rely specifically on broken version and locked it, they kinda asked for it.Well yeah, unpublishing is bad except for very few cases where public data is leaked. But when you do that, don't republish the same version ever again. It'll mess up things. I like to see how npm v1.3.19 is missing from registry for example.20.12.2013, 02:27, "Mikeal Rogers" <[email protected]>:That leaves all of the other packaged already published and relying on a specific version broken.On Dec 19, 2013, at 11:46AM, Dean Landolt <[email protected]> wrote:Even in that case it would still seem better to allow unpublish and bump the version number, right?Immutability (plus unpublish) would make the npm registery an even better place.On Thu, Dec 19, 2013 at 2:43 PM, Mikeal Rogers <[email protected]> wrote:There have also been security issues where old packages were shipped with sensitive information that needed to be ripped out.On Dec 18, 2013, at 5:07PM, Forrest L Norvell <[email protected]> wrote:I agree that packages should rarely be changed, but in practice if there's a major bug or the packaging gets totally botched (which has happened to me a few ties), it's good to have the ability to fix the problem in-place. I'm less enamored on the possibility of removing packages once they've been published. That seems like it's almost always a bad idea, and I would be in favor of altering the registry to disallow it.FOn Wed, Dec 18, 2013 at 12:41 PM, Tim Caswell <[email protected]> wrote:If you want this level of static dependencies you can check in your deps into node_modules in your git tree or use git submodules in there. Git does guarantee that the thing you point to can't be changed because the hash *is* the hash of the content. If anything changes, the hash changes.On Wed, Dec 18, 2013 at 7:40 AM, Brian Lalor <[email protected]> wrote:On Dec 18, 2013, at 7:23 AM, Richard Marr <[email protected]> wrote:I'm working on an app where security is an issue, and among the (many) things that I'm frothingly paranoid about is the possibility of malicious (or more likely just untested) code somehow getting into our app, even though we're using shrink-wrapped versions. It means we'll have to be much more careful with the way we proxy the npm registry.I’d like to know this, as well. One of the guarantees made by the Maven central repository is that artifacts (packages) can check in, but they can never check out. I frankly don’t think NPM provides this type of assurance, but it should. Otherwise the only way an organization can trust packages is to run their own repository.--Brian Lalor--
--
Job Board: http://jobs.nodejs.org/
Posting guidelines: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines
You received this message because you are subscribed to the Google
Groups "nodejs" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/nodejs?hl=en?hl=en
---
You received this message because you are subscribed to the Google Groups "nodejs" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.--
--
Job Board: http://jobs.nodejs.org/
Posting guidelines: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines
You received this message because you are subscribed to the Google
Groups "nodejs" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/nodejs?hl=en?hl=en
---
You received this message because you are subscribed to the Google Groups "nodejs" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.--
--
Job Board: http://jobs.nodejs.org/
Posting guidelines: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines
You received this message because you are subscribed to the Google
Groups "nodejs" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/nodejs?hl=en?hl=en
---
You received this message because you are subscribed to the Google Groups "nodejs" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.--
--
Job Board: http://jobs.nodejs.org/
Posting guidelines: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines
You received this message because you are subscribed to the Google
Groups "nodejs" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/nodejs?hl=en?hl=en
---
You received this message because you are subscribed to the Google Groups "nodejs" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.--
--
Job Board: http://jobs.nodejs.org/
Posting guidelines: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines
You received this message because you are subscribed to the Google
Groups "nodejs" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/nodejs?hl=en?hl=en
---
You received this message because you are subscribed to the Google Groups "nodejs" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.--
--
Job Board: http://jobs.nodejs.org/
Posting guidelines: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines
You received this message because you are subscribed to the Google
Groups "nodejs" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/nodejs?hl=en?hl=en
---
You received this message because you are subscribed to the Google Groups "nodejs" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.--
--
Job Board: http://jobs.nodejs.org/
Posting guidelines: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines
You received this message because you are subscribed to the Google
Groups "nodejs" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/nodejs?hl=en?hl=en
---
You received this message because you are subscribed to the Google Groups "nodejs" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.--
--
Job Board: http://jobs.nodejs.org/
Posting guidelines: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines
You received this message because you are subscribed to the Google
Groups "nodejs" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/nodejs?hl=en?hl=en
---
You received this message because you are subscribed to the Google Groups "nodejs" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.--
--
Job Board: http://jobs.nodejs.org/
Posting guidelines: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines
You received this message because you are subscribed to the Google
Groups "nodejs" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/nodejs?hl=en?hl=en
---
You received this message because you are subscribed to the Google Groups "nodejs" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.--
--
Job Board: http://jobs.nodejs.org/
Posting guidelines: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines
You received this message because you are subscribed to the Google
Groups "nodejs" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/nodejs?hl=en?hl=en
---
You received this message because you are subscribed to the Google Groups "nodejs" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
--
Job Board: http://jobs.nodejs.org/
Posting guidelines: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines
You received this message because you are subscribed to the Google
Groups "nodejs" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/nodejs?hl=en?hl=en
---
You received this message because you are subscribed to the Google Groups "nodejs" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
