
Ask HN: Post leftpad-ocolypse, practical guidelines for Node devs? - jonahx
I&#x27;m looking for practical takeaways in the wake of the npm&#x2F;leftpad disaster?<p>Should I still use npm?  If so, should I adopt specific practices in my package.json, etc?<p>Should I be considering some other package manager?<p>Other stuff?
======
beachstartup
"if a repo is worth using, it's worth mirroring, and archiving. and
potentially forking, too."

\-- i just made that up.

(but we _actually do, in fact, do all of that_ for our major dependencies like
upstream OS's, build deps, gitgub repos, cm, etc.)

if you don't have anyone on your team that knows how ......... well, you
should probaby fix that.

------
gonyea
Commit your node_modules to source control. I've saved myself repeatedly by
not putting node_modules in the project's gitignore.

\- All developers on a project are in sync. \- You can get the repo back into
a good state if npm choked. \- You can go back in time to a prior version
_with_ all of it's actual dependencies at that point in time.

~~~
borplk
I'd suggest people bake in an archival process during their deploys so you
always have a zip/tarball of the entire source code and node_modules that you
deploy, but still use npm install during development.

------
dizzy3gg
Just read a few good tips here[1]. Basically shrinkwrap and use a private npm
server/cache.

1 -
[https://news.ycombinator.com/item?id=11354147](https://news.ycombinator.com/item?id=11354147)

------
plugnburn
The advice is simple: Don't rely on third-party stuff you can implement
yourself with no significant effort. And for stuff you can't, backup those
modules.

~~~
jonahx
What is the best way to backup modules? Do you need to create your own private
module host, as you can for ruby gems?

~~~
plugnburn
I may sound old but one can start with just backing up node_modules/
directory.

If third party modules are hosted on GitHub, you can fork them.

------
Diti
Is there a package manager out there with signed releases (GPG or something)?

------
tmaly
vendoring if such a thing is possible is the first thing that comes to mind

