Hacker News new | past | comments | ask | show | jobs | submit login
Ask HN: Post leftpad-ocolypse, practical guidelines for Node devs?
19 points by jonahx on Mar 24, 2016 | hide | past | favorite | 9 comments
I'm looking for practical takeaways in the wake of the npm/leftpad disaster?

Should I still use npm? If so, should I adopt specific practices in my package.json, etc?

Should I be considering some other package manager?

Other stuff?

"if a repo is worth using, it's worth mirroring, and archiving. and potentially forking, too."

-- i just made that up.

(but we actually do, in fact, do all of that for our major dependencies like upstream OS's, build deps, gitgub repos, cm, etc.)

if you don't have anyone on your team that knows how ......... well, you should probaby fix that.

Commit your node_modules to source control. I've saved myself repeatedly by not putting node_modules in the project's gitignore.

- All developers on a project are in sync. - You can get the repo back into a good state if npm choked. - You can go back in time to a prior version with all of it's actual dependencies at that point in time.

I'd suggest people bake in an archival process during their deploys so you always have a zip/tarball of the entire source code and node_modules that you deploy, but still use npm install during development.

Just read a few good tips here[1]. Basically shrinkwrap and use a private npm server/cache.

1 - https://news.ycombinator.com/item?id=11354147

The advice is simple: Don't rely on third-party stuff you can implement yourself with no significant effort. And for stuff you can't, backup those modules.

What is the best way to backup modules? Do you need to create your own private module host, as you can for ruby gems?

I may sound old but one can start with just backing up node_modules/ directory.

If third party modules are hosted on GitHub, you can fork them.

Is there a package manager out there with signed releases (GPG or something)?

vendoring if such a thing is possible is the first thing that comes to mind

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact