
Show HN: ied – an alternative package manager for Node - blubbi2
https://github.com/alexanderGugel/ied
======
blubbi2
Hey everyone!

I made this. I'm happy to answer any questions, but please bear in mind that
this is a WIP. There is still a lot of work to be done, although feature
parity with npm is _not_ the goal.

Upcoming features are:

* Nix-like rollbacks * built in registry server * discovery + installation via BitTorrent DHT

Would love to get any feedback!

~~~
diggan
For the discovery and installation, you might be interested in looking into
using IPFS for it. Kind of gives you all the features you want out-of-the-box.
Also, another guy is working on mirroring the npm registry in IPFS, might be
interesting for you: [https://github.com/diasdavid/registry-
mirror](https://github.com/diasdavid/registry-mirror)

~~~
daviddias
Hi Alexander, this is really great!

I've started `registry-mirror` to demonstrate how a Content-Addressed file
structure and P2P discovery, can bring a lot of speed improvements, specially
when the bottleneck is low bandwidth/latency to the backbone, by connecting to
more local peers that have the content that we are looking for.

Right now, the goal with `registry-mirror` is to have a very large IPFS node
in the network with the entire npm and that keeps replicating it, while end
user machines only download the modules they need (and if they agree, provide
them to the network as well). Each end user will be able to get the latest
state of the registry, through a IPNS hash, a mutable pointer, that changes
each time the mirror is updated.

The nix package manager model layers perfectly on top of IPFS' MerkleDAG
([https://github.com/ipfs/specs/tree/master/merkledag](https://github.com/ipfs/specs/tree/master/merkledag)),
it can be a very awesome transport for ied. An example of a package manager
that uses IPFS to distribute the packages is GX
[https://github.com/whyrusleeping/gx](https://github.com/whyrusleeping/gx) \-
Still a WIP.

If this is interesting to you, join us at IRC Freenode #IPFS, it would be
great to bounce more ideas! :)

------
drinchev
That seems so cool. One question is how compatible is with npm? Can I use it
as a drop-in replacement ( talking about the CLI tool )?

~~~
blubbi2
Mostly, yes, but there are some features that are still missing:

`ied publish` and `ied version` is coming next week. I'm also thinking of
adding scoped modules, but I'm not sure about that yet.

You can also configure a private npm registry to be used:
[https://github.com/alexanderGugel/ied/blob/master/lib/config...](https://github.com/alexanderGugel/ied/blob/master/lib/config.js#L9)

------
jmandzik
Cloned a popular project (babel) and on a MacBook Pro:

    
    
      npm install  52.28s user 8.08s system 73% cpu 1:22.41 total
      ied install  10.22s user 4.36s system 142% cpu 10.230 total
    

Impressive.

~~~
blubbi2
Awesome! Glad it worked that well! Please let me know if you run into any
bugs:
[https://github.com/alexanderGugel/ied](https://github.com/alexanderGugel/ied)

~~~
jmandzik
Happy to open an issue, but any plans on supporting git+ssh urls? For work
projects, we have some modules installed via git and when I tried to install,
I got the same error described here:
[https://github.com/alexanderGugel/ied/issues/2](https://github.com/alexanderGugel/ied/issues/2)

Very promising project!

~~~
tracker1
+1 here, git+ssh and git+http(s) are essential imho... its' the easiest way to
sidestep the need for an npm server for some internal projects/libraries.

~~~
blubbi2
Agreed. It's definitely on the roadmap. Should be done in a couple of weeks.

------
nadocrew
You say you are creating a more performant NPM. Is it impossible to fix the
current NPM? Why not submit fixes back to NPM? Why create a new project?

~~~
actualprogram
The irony of this question should be apparent if you search for packages on
npm today. How many "new projects" are there?

In answer, why _not_ create a new project? NPM INC controls npm, hasn't
contributed it to the node foundation (despite playing a pivotal role in
creating said foundation), and hasn't been especially good at taking
contributions recently.

A new project dodges all those existing problems, demonstrates alternate
approaches are both feasible and compatible, and destroys the myth that npm is
fundamental to node, rather than simply the first of many package management
systems that take advantage of node's import semantics.

~~~
randylahey
I wonder what reasons there are for not putting npm in a foundation in the
same way that happened to Node itself? Surely such a critical piece of Node
infrastructure shouldn't be controlled by a single (for-profit) company.

------
gfosco
I never thought to myself, "wow, npm is slow." Is that really the core problem
this is solving?

~~~
lobster_johnson
NPM 2.x is actually very slow.

Part of that is just the monstrous number of files involved. For example, one
of our projects has 48 dependencies, which installs 24,421 files under
node_modules. NPM could probably benefit from managing each dependency as an
archive.

We do atomic deploys and try to make them reproducible, so for each deploy we
do a fresh install from npm-shrinkwrap.json, but even when all the modules are
in NPM's local cache it's very slow at copying everything.

Unfortunately, NPM doesn't version the node_modules folder (a package becomes
./node_modules/mypackage/...)), so you can't reuse it. The NPM cache _is_
versioned ($cachedir/mypackage/3.23/...), but can't be used directly. It would
be much better to skip the cache altogether, and have node_modules embed
version strings (./node_modules/mypackage-3.23/...). Then you could easily
share the folder across builds.

NPM is also pretty brittle. We frequently have deploys fail because of
transient network errors (repository timing out or similar) that cause NPM to
fall over. The dreaded mysterious "npm ERR cb() never called" error still hits
us weekly.

(Speaking of reproducible builds: NPM lets people unpublish packages.
Sometimes old versions just disappear, presumably because they were
unpublished. 6 months later you want to deploy a certain app, and you find it
depends on some package X, which deep in its dependency graph relies on
package Y 0.3, but 0.3 is gone from npmjs.com, so you have to upgrade for no
reason at all.)

~~~
alessioalex
Well, you're definitely in for a treat with NPM 3. And I don't mean that in a
good way.

~~~
lobster_johnson
How so?

------
crabasa
_> The easiest way to install ied is using npm_

Bootstrapping ftw.

~~~
blubbi2
The initial set of dependencies is being installed via npm, the it installs
its own dependencies via ied if told so:
[https://github.com/alexanderGugel/ied#installation](https://github.com/alexanderGugel/ied#installation)

This is a "cool" feature during development, since it's a nice proof of
concept.

Originally I checked in the node_modules directory, but then reddit was
shitting on me as usual (yes, you shouldn't check in node_modules in an actual
app, but this is PACKAGE MANAGER!). As far as I know, npm has also its own
dependencies check in + a ton of packages as tarballs for tests, so I might do
that later.

~~~
dkns
Dude, don't listen to reddit when it comes to managing your own open source
project.

~~~
mikekchar
I was just thinking about that yesterday. I write my own projects so that I
don't have to dance the political dance and make my colleagues happy. My own
projects are for exploring my own ideas. Advice is always appreciated, but if
someone wants to dictate how I write code in my own projects, they better damn
well pay me (a lot).

To the OP: Don't let people bully you. Many people have strong ideas and will
want you to do things their way. You aren't going to make everyone happy,
though. _Somebody_ will be pissed off no matter what you do (if you are
popular enough -- normally people won't pay any attention to you ;-) ).
"Because that's what I want to do" is a completely valid reason for any
decision on your own project.

------
xrstf
> produces a flat node_modules directory

Finally. npm's node_modules makes Node on Windows unbearable from time to
time.

Shut up and take my money!

~~~
nailer
npm v3 already does this by default.

------
macmac
Unfortunate naming ie
[https://en.wikipedia.org/wiki/Improvised_explosive_device](https://en.wikipedia.org/wiki/Improvised_explosive_device)

~~~
blubbi2
Damn. Didn't think of that.

In fact I literally just renamed it:
[https://github.com/alexanderGugel/ied/commit/84628b3c871c85d...](https://github.com/alexanderGugel/ied/commit/84628b3c871c85d7424d9d4a3813b19d02721bc6)

Originally it was called mpm, but I figured that would have been pretty
confusing, but it looks like the new name isn't necessarily better.

I'm pretty terrible at naming. Any suggestions are more than welcome!

~~~
diggan
I think it's fine as it is. Could have chosen a worse name for sure! And,
managing dependencies is like dealing with explosives anyways...

~~~
JoshTriplett
> And, managing dependencies is like dealing with explosives anyways...

Only funny for anyone who _hasn 't_ been affected by one, or had friends or
family who were. Still better to avoid names with negative connotations (and
search for them first to check).

> Any suggestions are more than welcome!

A few ideas:

bpm - Better Package Manager

edge - the thing that connects nodes

jpm - Javascript Package Manager

ppm - Peer Package Manager

fpm - Functional Package Manager

ayp - All Your Packages

nnm - New Node Manager

~~~
blubbi2
As I said earlier, it wasn't my intention to name it after a weapon.

That being said, it's a three letter name. It's very unlikely NOT to run into
naming conflicts here.

edge - taken by Microsoft

jpm - JPMorgan

ppm - taken by Perl package manager:
[https://en.wikipedia.org/wiki/Perl_package_manager](https://en.wikipedia.org/wiki/Perl_package_manager)

fpm - taken by Effing package management:
[https://github.com/jordansissel/fpm](https://github.com/jordansissel/fpm)

bpm - beats per minute

ayp - terrible to type, although taken by "Adequate Yearly Progress":
[https://en.wikipedia.org/wiki/Adequate_Yearly_Progress](https://en.wikipedia.org/wiki/Adequate_Yearly_Progress)

nnm - What happens when it's no longer new?

Just in Germany for example there are a ton of companies called ISIS (just
google "ISIS GmbH"). Being offended by a three letter shell command seems a
bit over the top to me to be honest.

Edit: I won't respond to further comments on the naming issue. It wasn't my
intention to name it after a weapon. As I said earlier, I will change the name
as soon as anyone proposes a better one.

~~~
hatsix
Yeah, but when people do a google search for IED, what are they going to find?

I'd worry less about offending someone because they had to type it, and more
about SEO. I'd stick with things that don't have pictures of gore and
destruction on the first page of search results.

So, that's a really good reason to not.

Also, your response was shitty... You specifically state that you chose IED
because it's "easy to type"... but when someone says "Hey, that's what we call
bombs that insurgents use to kill people with", you reply "Yeah, but the
alternative is an acronym used by JP Morgan... People getting offended by me
naming something after a way to kill people are being over the top". If "IED"
happened to actually mean something, fine, make a case... but it isn't
actually easier to type than anything else... If you want that, name it ASD,
which shouldn't have any conflicts, as the top google search result is
Anchorage School District... and I couldn't find any conflicting package
names.

I get it, people are constantly picking on things and suggesting that they
need to be more PC... but in this case, there is absolutely NO reason for you
to stick with the name IED... and several reasons to change it (SEO,
offensiveness, typability).

Also, good news for german companies... The news has started using different
acronyms for ISIS... I've seen IS and ISIL in regards to the paris bombings,
as they're more true to the literal translation.

~~~
tracker1
Another Stupid Deployment (ASD)... just suggesting a corresponding name to
work with.

------
js_throw_away
Guys NPM is not the problem, Javascript is.

