Hacker News new | comments | show | ask | jobs | submit login

Because NPM knows a module has been unpublished, it can try to be smart about it and change existing package.json so there will be no more updates to that module.

I also think dependencies should be non-flat/tree/static. So that you only have to trust one dependency, and not all of it's child dependencies and their dependencies too. You should only need to manage your own dependencies, not other peoples dependencies.

There should also be a way to contact everyone who use your module, so you can tell them about critical bugs etc.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact