I found that strange as well. My guess is that `npm` is just the package manager people are most likely to already have installed and doing it this way makes it easy. They might think asking people to install Cargo is too much effort. Wonder if the pattern of using npm to install non-node tools will keep gaining traction.
For many, installing something with npm is still easier. It chooses the right binary for your OS/architecture, puts it on your PATH, and streamlines upgrades.
Their Github releases provides the binaries, as well as a `curl ... | sh` install method and a guide to use github releases attestation which I liked.
They're not doing so here, but shipping a wasm-compiled binary with npm that uses node's WASI API is a really easy way to ship a cross-platform CLI utility. Just needs ~20 lines of JS wrapping it to set up the args and file system.
There's no such thing as a truly "cross-platform" build. Depending on what you use, you might have to target specific combinations of OS and processor architecture. That's actually why WASM (though they went with WASI) is a better choice; especially for libraries, since anyone can drop it into their environment without worrying about compatibility.
To my knowledge NPM isn't shipped in _any_ major OSes. It's available to install on all, just like most package managers, but I'm not sure it's in the default distributions of macOS, Windows, or the major Linux distros?
> The install script checks the OS and Arch, and pulls the right Rust binary.
That's the arbitrary code execution at install time aspect of npm that developers should be extra wary of in this day and age. Saner node package managers like pnpm ignore the build script and you have to explicitly approve it on a case-by-case basis.
That said, you can execute code with build.rs with cargo too. Cargo is just not a build artifact distribution mechanism.
> NPM has become the de facto standard for installing any software these days, because it is present on every OS.
That's not remotely true. If there is a standard (which I wouldn't say there is), it's either docker or curl|bash. Nobody is out there using npm to install packages except web devs, this is absolutely ridiculous on Google's part.
I found that strange as well. My guess is that `npm` is just the package manager people are most likely to already have installed and doing it this way makes it easy. They might think asking people to install Cargo is too much effort. Wonder if the pattern of using npm to install non-node tools will keep gaining traction.
Most people aren't going to have npm installed though. Nobody outside of web devs uses it.
"Most people" are webdevs
Bracing for getting cancelled
Why not just downloadable binary then?
For many, installing something with npm is still easier. It chooses the right binary for your OS/architecture, puts it on your PATH, and streamlines upgrades.
Their Github releases provides the binaries, as well as a `curl ... | sh` install method and a guide to use github releases attestation which I liked.
1 reply →
Why should the package's original language matter?
When I use apt-get, I have no idea what languages the packages were written in.
Because npm is not an os package manager, it's a nodejs package manager
Not everyone has or wants yet another package manager in their system.
They're not doing so here, but shipping a wasm-compiled binary with npm that uses node's WASI API is a really easy way to ship a cross-platform CLI utility. Just needs ~20 lines of JS wrapping it to set up the args and file system.
Doesn’t this seem excessive over just using rust’s cross platform builds?
There's no such thing as a truly "cross-platform" build. Depending on what you use, you might have to target specific combinations of OS and processor architecture. That's actually why WASM (though they went with WASI) is a better choice; especially for libraries, since anyone can drop it into their environment without worrying about compatibility.
1 reply →
Can you link to a sample of how I can do this?
Interesting fact, because cargo builds every tool it downloads from source, you can’t actually run cargo install on Google laptops internally.
NPM as a cross platform package distribution system works really well.
The install script checks the OS and Arch, and pulls the right Rust binary.
Then, they get upgrade mechanism out of the box too, and an uninstall mechanism.
NPM has become the de facto standard for installing any software these days, because it is present on every OS.
To my knowledge NPM isn't shipped in _any_ major OSes. It's available to install on all, just like most package managers, but I'm not sure it's in the default distributions of macOS, Windows, or the major Linux distros?
No package manager is. But of the ones that are installed by users, npm is probably the most popular.
9 replies →
More of a de facto standard for supply chain attacks tbh
> The install script checks the OS and Arch, and pulls the right Rust binary.
That's the arbitrary code execution at install time aspect of npm that developers should be extra wary of in this day and age. Saner node package managers like pnpm ignore the build script and you have to explicitly approve it on a case-by-case basis.
That said, you can execute code with build.rs with cargo too. Cargo is just not a build artifact distribution mechanism.
Yeah except you need to install NPM, whereas with a rust binary, which can easily compile cross platform, you don’t.
Honestly I’m shocked to see so many people supporting this
"NPM has become the de facto standard for installing any software these days, because it is present on every OS."
What?!? Must not be in any OS I've ever installed.
Now tar, on the other hand, exists even in windows.
> NPM has become the de facto standard for installing any software these days, because it is present on every OS.
That's not remotely true. If there is a standard (which I wouldn't say there is), it's either docker or curl|bash. Nobody is out there using npm to install packages except web devs, this is absolutely ridiculous on Google's part.
they offer npm for the large market of cli users who have it, and curl|bash to those who don’t. ¯\_(ツ)_/¯
I think there has been an influx of people vibe coding in Rust because its "fast" but otherwise they have no idea about Rust.