They won't :) Oh well :)
It's better for things to work than for everyone to agree. -Mikeal On Dec 19, 2013, at 3:47PM, Alex Kocharin <[email protected]> wrote: > > Well okay, just one silly argument. How will these people know that they're > doing the wrong thing if nothing will ever break? :) > > > 20.12.2013, 03:42, "Mikeal Rogers" <[email protected]>: >> First off, if someone version locks they are already doing the wrong thing. >> Saying "make my package ignore bugfix releases" is almost always the wrong >> thing. In this case it's better to keep their package working for them since >> they clearly don't know what they're doing. >> >> If they **really** didn't want any changes coming in that they didn't know >> about then they had two other options that would still work: 1) check the >> module in to git if they are deploying at app or shrinkwrap publish if it's >> not something being deployed 2) stick the md5 in package json to ensure >> nobody can give them another tarball for the same version. >> >> We have to deal with what people are doing in practice when they don't >> necessarily understand the best practice and it's especially important when >> you maintain a common dependency to do what you can to keep everyone who >> relies on you working even when they don't do things correctly. >> >> -Mikeal >> >> On Dec 19, 2013, at 3:12PM, Alex Kocharin <[email protected]> wrote: >> >>> >>> Suppose somebody made a conscious choice to rely on your package version >>> 1.2.3. If they wanted to receive updates, they would've specify ~1.2.3, and >>> receive your 1.2.4 with a bugfix. But they don't even though npm specify >>> "~" syntax by default. Why do you suggest to replace 1.2.3 (if it's broken >>> or something) with a different version dependent explicitly didn't want to >>> see installed? >>> >>> >>> 20.12.2013, 03:03, "Mikeal Rogers" <[email protected]>: >>>> In the real world it's just better to have your dependents not fail to >>>> install, you can't actually rely on the maintainers doing another publish >>>> after you break them. In the end, the less packages that fail to install >>>> from npm the better and whatever solution results in the least number of >>>> un-installable packages sitting in the registry is the one we should go >>>> with. >>>> >>>> -Mikeal >>>> >>>> On Dec 19, 2013, at 2:59PM, Alex Kocharin <[email protected]> wrote: >>>> >>>>> >>>>> Why is it a bad thing? >>>>> >>>>> If someone wants to receive your update, he'll specify a version range >>>>> and an update will be installed automatically. >>>>> >>>>> If someone want to rely specifically on broken version and locked it, >>>>> they kinda asked for it. >>>>> >>>>> Well yeah, unpublishing is bad except for very few cases where public >>>>> data is leaked. But when you do that, don't republish the same version >>>>> ever again. It'll mess up things. I like to see how npm v1.3.19 is >>>>> missing from registry for example. >>>>> >>>>> >>>>> 20.12.2013, 02:27, "Mikeal Rogers" <[email protected]>: >>>>>> That leaves all of the other packaged already published and relying on a >>>>>> specific version broken. >>>>>> >>>>>> On Dec 19, 2013, at 11:46AM, Dean Landolt <[email protected]> wrote: >>>>>> >>>>>>> Even in that case it would still seem better to allow unpublish and >>>>>>> bump the version number, right? >>>>>>> >>>>>>> Immutability (plus unpublish) would make the npm registery an even >>>>>>> better place. >>>>>>> >>>>>>> >>>>>>> On Thu, Dec 19, 2013 at 2:43 PM, Mikeal Rogers >>>>>>> <[email protected]> wrote: >>>>>>> There have also been security issues where old packages were shipped >>>>>>> with sensitive information that needed to be ripped out. >>>>>>> >>>>>>> On Dec 18, 2013, at 5:07PM, Forrest L Norvell <[email protected]> >>>>>>> wrote: >>>>>>> >>>>>>>> I agree that packages should rarely be changed, but in practice if >>>>>>>> there's a major bug or the packaging gets totally botched (which has >>>>>>>> happened to me a few ties), it's good to have the ability to fix the >>>>>>>> problem in-place. I'm less enamored on the possibility of removing >>>>>>>> packages once they've been published. That seems like it's almost >>>>>>>> always a bad idea, and I would be in favor of altering the registry to >>>>>>>> disallow it. >>>>>>>> >>>>>>>> F >>>>>>>> >>>>>>>> >>>>>>>> On Wed, Dec 18, 2013 at 12:41 PM, Tim Caswell <[email protected]> >>>>>>>> wrote: >>>>>>>> If you want this level of static dependencies you can check in your >>>>>>>> deps into node_modules in your git tree or use git submodules in >>>>>>>> there. Git does guarantee that the thing you point to can't be >>>>>>>> changed because the hash *is* the hash of the content. If anything >>>>>>>> changes, the hash changes. >>>>>>>> >>>>>>>> >>>>>>>> On Wed, Dec 18, 2013 at 7:40 AM, Brian Lalor <[email protected]> wrote: >>>>>>>> On Dec 18, 2013, at 7:23 AM, Richard Marr <[email protected]> >>>>>>>> wrote: >>>>>>>> >>>>>>>>> I'm working on an app where security is an issue, and among the >>>>>>>>> (many) things that I'm frothingly paranoid about is the possibility >>>>>>>>> of malicious (or more likely just untested) code somehow getting into >>>>>>>>> our app, even though we're using shrink-wrapped versions. It means >>>>>>>>> we'll have to be much more careful with the way we proxy the npm >>>>>>>>> registry. >>>>>>>> >>>>>>>> I’d like to know this, as well. One of the guarantees made by the >>>>>>>> Maven central repository is that artifacts (packages) can check in, >>>>>>>> but they can never check out. I frankly don’t think NPM provides this >>>>>>>> type of assurance, but it should. Otherwise the only way an >>>>>>>> organization can trust packages is to run their own repository. >>>>>>>> >>>>>>>> -- >>>>>>>> Brian Lalor >>>>>>>> [email protected] >>>>>>>> >>>>>>>> -- >>>>>>>> -- >>>>>>>> Job Board: http://jobs.nodejs.org/ >>>>>>>> Posting guidelines: >>>>>>>> https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines >>>>>>>> You received this message because you are subscribed to the Google >>>>>>>> Groups "nodejs" group. >>>>>>>> To post to this group, send email to [email protected] >>>>>>>> To unsubscribe from this group, send email to >>>>>>>> [email protected] >>>>>>>> For more options, visit this group at >>>>>>>> http://groups.google.com/group/nodejs?hl=en?hl=en >>>>>>>> >>>>>>>> --- >>>>>>>> You received this message because you are subscribed to the Google >>>>>>>> Groups "nodejs" group. >>>>>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>>>>> an email to [email protected]. >>>>>>>> For more options, visit https://groups.google.com/groups/opt_out. >>>>>>>> >>>>>>>> -- >>>>>>>> -- >>>>>>>> Job Board: http://jobs.nodejs.org/ >>>>>>>> Posting guidelines: >>>>>>>> https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines >>>>>>>> You received this message because you are subscribed to the Google >>>>>>>> Groups "nodejs" group. >>>>>>>> To post to this group, send email to [email protected] >>>>>>>> To unsubscribe from this group, send email to >>>>>>>> [email protected] >>>>>>>> For more options, visit this group at >>>>>>>> http://groups.google.com/group/nodejs?hl=en?hl=en >>>>>>>> >>>>>>>> --- >>>>>>>> You received this message because you are subscribed to the Google >>>>>>>> Groups "nodejs" group. >>>>>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>>>>> an email to [email protected]. >>>>>>>> For more options, visit https://groups.google.com/groups/opt_out. >>>>>>>> >>>>>>>> -- >>>>>>>> -- >>>>>>>> Job Board: http://jobs.nodejs.org/ >>>>>>>> Posting guidelines: >>>>>>>> https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines >>>>>>>> You received this message because you are subscribed to the Google >>>>>>>> Groups "nodejs" group. >>>>>>>> To post to this group, send email to [email protected] >>>>>>>> To unsubscribe from this group, send email to >>>>>>>> [email protected] >>>>>>>> For more options, visit this group at >>>>>>>> http://groups.google.com/group/nodejs?hl=en?hl=en >>>>>>>> >>>>>>>> --- >>>>>>>> You received this message because you are subscribed to the Google >>>>>>>> Groups "nodejs" group. >>>>>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>>>>> an email to [email protected]. >>>>>>>> For more options, visit https://groups.google.com/groups/opt_out. >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> -- >>>>>>> Job Board: http://jobs.nodejs.org/ >>>>>>> Posting guidelines: >>>>>>> https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines >>>>>>> You received this message because you are subscribed to the Google >>>>>>> Groups "nodejs" group. >>>>>>> To post to this group, send email to [email protected] >>>>>>> To unsubscribe from this group, send email to >>>>>>> [email protected] >>>>>>> For more options, visit this group at >>>>>>> http://groups.google.com/group/nodejs?hl=en?hl=en >>>>>>> >>>>>>> --- >>>>>>> You received this message because you are subscribed to the Google >>>>>>> Groups "nodejs" group. >>>>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>>>> an email to [email protected]. >>>>>>> For more options, visit https://groups.google.com/groups/opt_out. >>>>>>> >>>>>>> -- >>>>>>> -- >>>>>>> Job Board: http://jobs.nodejs.org/ >>>>>>> Posting guidelines: >>>>>>> https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines >>>>>>> You received this message because you are subscribed to the Google >>>>>>> Groups "nodejs" group. >>>>>>> To post to this group, send email to [email protected] >>>>>>> To unsubscribe from this group, send email to >>>>>>> [email protected] >>>>>>> For more options, visit this group at >>>>>>> http://groups.google.com/group/nodejs?hl=en?hl=en >>>>>>> >>>>>>> --- >>>>>>> You received this message because you are subscribed to the Google >>>>>>> Groups "nodejs" group. >>>>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>>>> an email to [email protected]. >>>>>>> For more options, visit https://groups.google.com/groups/opt_out. >>>>>> >>>>>> >>>>>> -- >>>>>> -- >>>>>> Job Board: http://jobs.nodejs.org/ >>>>>> Posting guidelines: >>>>>> https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines >>>>>> You received this message because you are subscribed to the Google >>>>>> Groups "nodejs" group. >>>>>> To post to this group, send email to [email protected] >>>>>> To unsubscribe from this group, send email to >>>>>> [email protected] >>>>>> For more options, visit this group at >>>>>> http://groups.google.com/group/nodejs?hl=en?hl=en >>>>>> >>>>>> --- >>>>>> You received this message because you are subscribed to the Google >>>>>> Groups "nodejs" group. >>>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>>> an email to [email protected]. >>>>>> For more options, visit https://groups.google.com/groups/opt_out. >>>>> >>>>> -- >>>>> -- >>>>> Job Board: http://jobs.nodejs.org/ >>>>> Posting guidelines: >>>>> https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines >>>>> You received this message because you are subscribed to the Google >>>>> Groups "nodejs" group. >>>>> To post to this group, send email to [email protected] >>>>> To unsubscribe from this group, send email to >>>>> [email protected] >>>>> For more options, visit this group at >>>>> http://groups.google.com/group/nodejs?hl=en?hl=en >>>>> >>>>> --- >>>>> You received this message because you are subscribed to the Google Groups >>>>> "nodejs" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send an >>>>> email to [email protected]. >>>>> For more options, visit https://groups.google.com/groups/opt_out. >>>> >>>> >>>> -- >>>> -- >>>> Job Board: http://jobs.nodejs.org/ >>>> Posting guidelines: >>>> https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines >>>> You received this message because you are subscribed to the Google >>>> Groups "nodejs" group. >>>> To post to this group, send email to [email protected] >>>> To unsubscribe from this group, send email to >>>> [email protected] >>>> For more options, visit this group at >>>> http://groups.google.com/group/nodejs?hl=en?hl=en >>>> >>>> --- >>>> You received this message because you are subscribed to the Google Groups >>>> "nodejs" group. >>>> To unsubscribe from this group and stop receiving emails from it, send an >>>> email to [email protected]. >>>> For more options, visit https://groups.google.com/groups/opt_out. >>> >>> -- >>> -- >>> Job Board: http://jobs.nodejs.org/ >>> Posting guidelines: >>> https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines >>> You received this message because you are subscribed to the Google >>> Groups "nodejs" group. >>> To post to this group, send email to [email protected] >>> To unsubscribe from this group, send email to >>> [email protected] >>> For more options, visit this group at >>> http://groups.google.com/group/nodejs?hl=en?hl=en >>> >>> --- >>> You received this message because you are subscribed to the Google Groups >>> "nodejs" group. >>> To unsubscribe from this group and stop receiving emails from it, send an >>> email to [email protected]. >>> For more options, visit https://groups.google.com/groups/opt_out. >> >> >> -- >> -- >> Job Board: http://jobs.nodejs.org/ >> Posting guidelines: >> https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines >> You received this message because you are subscribed to the Google >> Groups "nodejs" group. >> To post to this group, send email to [email protected] >> To unsubscribe from this group, send email to >> [email protected] >> For more options, visit this group at >> http://groups.google.com/group/nodejs?hl=en?hl=en >> >> --- >> You received this message because you are subscribed to the Google Groups >> "nodejs" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/groups/opt_out. > > -- > -- > Job Board: http://jobs.nodejs.org/ > Posting guidelines: > https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines > You received this message because you are subscribed to the Google > Groups "nodejs" group. > To post to this group, send email to [email protected] > To unsubscribe from this group, send email to > [email protected] > For more options, visit this group at > http://groups.google.com/group/nodejs?hl=en?hl=en > > --- > You received this message because you are subscribed to the Google Groups > "nodejs" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- -- Job Board: http://jobs.nodejs.org/ Posting guidelines: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines You received this message because you are subscribed to the Google Groups "nodejs" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/nodejs?hl=en?hl=en --- You received this message because you are subscribed to the Google Groups "nodejs" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
