Hacker News new | comments | show | ask | jobs | submit login

Yes, but I can publish an evil left-pad@0.0.10, and if you're not shrinkwrapping or any sub-dependency has left-pad: "^0.0.3", it will pull in the evil 0.0.10 version.

EDIT: I stand corrected. See below, looks that's not the case specifically for "0.0.x" versions, but gets progressively more relaxed if there's a non-zero minor version specified. However, many of the unpublished packages had varying major and minor versions, which would have the more loose caret range behavior.

No it won't... The caret specifier for 0.0.x packages means "this version and this version exactly".

He's right, for `0.0.x` versions it means "this version and this version exactly"


And to be honest, it's news to me. Sorry i impulse downvoted you...

No problem! It's not super well-known since they switched from tildes to carets and tildes didn't behave that way.

Some examples of how it works:

    ^1.2.3 := >=1.2.3 <2.0.0
    ^0.2.3 := >=0.2.3 <0.3.0
    ^0.0.3 := >=0.0.3 <0.0.4

Why dont they just use that version notation ? (>=0.0.2,<0.1.0) will be much simpler

For every single dependency in most projects that honor semver? ^ is just an extremely convenient shorthand.

You're right, I added an edit to my comment.

That's an interesting side effect.

Wouldn't (shouldn't) npm block same named modules from being uploaded with a different username?

Proposal: go with a java based naming system: com.yc.mymodule.

All installations would require the user to use com.yc.* in package.json and all users would be required to register as a com.yc style organization name. Thus only one user can remove/add that exact module.

npm has namespaces, but they are optional and not hugely adopted as of yet.

Hmm but then is the scope/namespace reserved for each user that reserves/uses it? If I publish @andy9775/left-pad can someone publish under @andy9775/other-module or can only I publish under @andy9775/...?

If so, why is no one using this???

Yes, namespaces are specific to your username. Nobody else can publish packages under your username namespace.

I think it's less common because it was released along with private modules and is often conflated with them. Basically all packages are still namespace-less. TBH I never thought about the benefit they'd have until now.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact