Mikeal, To sum up the way I currently see it, switching to immutable packages would:
* solve a whole class of subtle problems caused by unrequested code changes * allow aggressive caching, reducing the cost of the npm registry and making npm use faster for most use cases * change behaviour only for version-locked dependencies when that (and only that) specific patch is unpublished That's two HUGE wins, and one downside. The downside can be reduced into obscurity being very rare by making it hard to unpublish, so that authors only bother to do it if they genuinely need to... i.e. serious legal or security reasons... cases where it's actually the right thing to do to break dependent apps. >From what I've heard so far, force republish is mainly used to keep patch numbers slow and sequential, which seems like a much lower priority requirement than introducing behaviour changes silently and unexpectedly into dependent apps. Please do contribute more if you have more time... I do want to understand the root cause of your replies, and please set me straight if I've missed or misunderstood any of your comments Rich On 19 December 2013 23:49, Mikeal Rogers <[email protected]> wrote: > They won't :) > > Oh well :) > > It's better for things to work than for everyone to agree. > > -Mikeal > > On Dec 19, 2013, at 3:47PM, Alex Kocharin <[email protected]> wrote: > > > Well okay, just one silly argument. How will these people know that > they're doing the wrong thing if nothing will ever break? :) > > > 20.12.2013, 03:42, "Mikeal Rogers" <[email protected]>: > > First off, if someone version locks they are already doing the wrong > thing. Saying "make my package ignore bugfix releases" is almost always the > wrong thing. In this case it's better to keep their package working for > them since they clearly don't know what they're doing. > > If they **really** didn't want any changes coming in that they didn't know > about then they had two other options that would still work: 1) check the > module in to git if they are deploying at app or shrinkwrap publish if it's > not something being deployed 2) stick the md5 in package json to ensure > nobody can give them another tarball for the same version. > > We have to deal with what people are doing in practice when they don't > necessarily understand the best practice and it's especially important when > you maintain a common dependency to do what you can to keep everyone who > relies on you working even when they don't do things correctly. > > -Mikeal > > -- -- Job Board: http://jobs.nodejs.org/ Posting guidelines: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines You received this message because you are subscribed to the Google Groups "nodejs" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/nodejs?hl=en?hl=en --- You received this message because you are subscribed to the Google Groups "nodejs" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
