← Back to context

Comment by sebmellen

2 days ago

"Here, install my new 1-day old NPM package that doesn't let you install packages younger than 90 days."

Pardon me, I couldn’t help myself :D

7 comments

sebmellen

Reply
mort96  2 days ago

I get that it's a joke, but I feel the need to defend this project anyway.

The problem with NPM isn't any one young package. The problem with the NPM is that any time you run 'npm install', you download potentially thousands of packages, and you get the most recent patch release from all of them. Installing one 1-day-old NPM package to forever avoid day 1 releases of thousands of packages seems like a worthwhile trade.

Still, I would maybe choose the tried and true PNPM instead, which supports this too.

  • moritzwarhier  2 days ago

    > The problem with NPM isn't any one young package. The problem with the NPM is that any time you run 'npm install', you download potentially thousands of packages, and you get the most recent patch release from all of them.

    Isn't this simply wrong?

    Last I checked, lock files work. They didn't for a long time, until a couple of years ago, as far as I know.

    If you delete your lock file or explicitly run a package upgrade, sure, you get the latest versions compatible with your semver ranges.

    > Installing one 1-day-old NPM package to forever avoid day 1 releases of thousands of packages seems like a worthwhile trade.

    If you want to be extra sure, you can simply not use semver ranges in your package.json, or only for select packages.

    As far as I know, this is recommended anyway.

    • chatmasta  1 day ago

      Lockfiles work if you combine them with version pinning (exact version, no semver), or always run `npm install ci` unless you’re intentionally attempting to update your packages.

      I’ve always preferred exact versions because I’d rather updates be opt-in rather than an opt-out footgun. Otherwise any new dev to the project might accidentally pull some new version of a package that satisfies the semver requirement but modifies the lockfile, then they’ll check it into the code, and it’s another thing to fix at review time… there’s just a lot less friction if you use exact versions. It makes hermetic/reproducible builds and static dependency analysis easier, too.

      Of course you need some update hygiene, preferably via an automated bot that opens PRs and runs tests. Renovate works well.

      (btw, this same issue occurs with Docker base images; it’s better to base images on the sha256sum of the target image rather than a floating tag. Renovate can update those too.)

    • mort96  2 days ago

      Doesn't NPM only respect lock files when you run 'npm ci'? I thought 'npm install' just used the constraints in package.json

      1 reply →