Hacker News new | comments | show | ask | jobs | submit login

couple of days ago i was all smug from upvotes for calling npm best practise.

i take that back, npm is a security risk that should be avoided.

now i need a new package manager.

Notice that I didn't talk about the node package manager, but about the author and the company NPM Inc. (and their registry service).

It's not that your "build got broken", it's that you had a broken build process. You are the one at fault. You chose (perhaps unconciously) to rely on various entities, their services, their whims, and they proved to be unreliable.

The simplest solution for those who write an application is to commit the dependencies into the repository as well. This significantly lowers the amount of entities relied upon when building it. (Alternatively, have your own registry, whatever.)

Then you can discuss issues like the ideal module granularity, ethics of this or that actor, names and trademarks, etc. without worrying about your "broken build".

Well, now I'll upvote you for saying something else that seems wise, so it's all good.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact