
How did losing Left-pad package on npm affect your operations? - forkLding
Generally curious about the effects and just want to get an idea from the frontlines on how operations have been affected.
======
MalcolmDiggs
Well... I spent the last hour hiding under my desk, curled up in the fetal
position, shaking and crying uncontrollably.

Left-pad is back in NPM, but that really doesn't the address the underlying
issues. I don't know what we're going to do really. Hoping a new set of "best
practices" for dependency management reveal themselves in the next few days.

Checking our node_modules folder into source control (and avoiding ever 'npm
install'ing again), seems like a bad idea. NPM "shrinkwrap" seems like it
could work, but not if the modules disappear from NPM. Creating our own NPM
mirror and disabling "unpublish" seems plausible, but is it worth the effort?
Idk... I'm considering assembling our node_modules folder from github commits
rather than npm package names, but that's only a solution if all of our
dependencies are doing the same thing (otherwise we're still tied to NPM in
some way and vulnerable to packages being unpublished). And of course things
can be taken down from Github just the same...but at least Github is
namespaced to the username. I think the only "good" solution is to disable
unpublishing from NPM...but that's completely out of my control.

Back to the fetal position...

~~~
acemarke
I'm still learning and prototyping my first JS/NPM/React project, but
[https://github.com/JamieMason/shrinkpack](https://github.com/JamieMason/shrinkpack)
seems to me like it solves _most_ of the issues involved here. It pulls down
all the tarballs, and updates the npm-shrinkwrap.json to point to those
instead. That way you check in a much smaller "node_shrinkwrap" folder of a
few hundred tarballs and 15-20MB, rather than a node_modules folder of 30K
files and 150MB and a bunch of platform-specific build outputs.

Still doesn't solve the issue of installing new/updated dependencies that
might actually require pulling in something that vanished, but at least once
you've done an install and run "shrinkpack", you've got everything you need to
rebuild right there.

------
cjbprime
Our build/deploy process does `npm i react-native`, which depends on babel,
which depends on left-pad, so our builds failed for a little while.

We use `npm shrinkwrap` to stay fixed on specific versions of packages, but
that doesn't help if they're unpublished.

------
pizza
A blockchain-based versioned package manager might just be a killer app for
Ethereum!!

------
patmcc
This whole debacle is making me push back hard on the idea to replace all our
old ugly bash build script with shiny new node.js/grunt/gulp ones.

------
mildweed
Seriously considering putting our node_modules folder in a repo of its own.

