The real issues that a package repository should address are security and verifiability. Is this package trustworthy? Is the latest minor version bump safe to use? What about dependencies deep down the tree? How to automatically detect when a package has been hijacked? How to handle benign package takeovers, e.g. package owner deciding to give ownership to maintainers. Etc etc.
It lets you choose quote character, indentation size, and that basically it.
Relates to the "indentation width."
Yes, that's another big user-configurable parameter.
This exists only for JS version compatibility.
Yeah, those are there too.
From my (admittedly not super deep) experience with multiple package manager (Maven, Gradle, LuaRocks, Ruby gems, the abominable circus of tools they use the Python environment, ...), I found NPM to be by far the most reliable/easy-to-use tool.
That being said, being the best is not necessarily the end goal when the competition is terrible.
1. There is no way to define deployment tokens per package. If you have an organization and want to deploy via CI/CD this can be problematic. If one token is leaked, it affects all packages
2. You cannot enforce 2FA for accounts in organization. So you also have problems if you don’t use CD.
These two problems could be addressed by the registry, the other’s are more of UX Gaps.
3. It is not easy to verify that a package contains the thing that is checked into source. We make it arguably harder by transpiling, etc.
4. It is not widely known how to use npmignore. Often packages contain unnecessary things like all of their documentation website or big images or tests. There could be better UX around that when you create packages or explore packages. The amount of temporary files published by an author in packages is just crazy.
These are the problems from the top of my head, I am sure that I could come up with more. It doesn’t mean that other package managers are better or that NPM is bad, but there is room for betterment.
Python package management is a drama, but I've heard Java developers defend their system, forgot if it was maven or gradle.
My main issue with NPM was belatedly solved when Yarn came out. The whole node_modules thing makes me consider it inferior to the others I mentioned, but I'm not sure it can be called a problem.
More anecdotally, I've had bad experiences with upgrades, though admittedly, the fact that Windows support is a second-class citizen in many popular gems might have been part of that.
The old way had risk at two steps and now it's reduced 50%
Plus, what about package signing? If the released version comes directly from the repo, does that mean the final package isn't signed by a maintainer?
This is not a fix for NPM. This is tooling, convenience.
That's the most absurd sentence thing I've seen in awhile, editing is orthogonal to package management. But others have that thread covered. This got my attention:
> Pika publishes each package directly from source, so malicious or hacked authors can't skip code review or sneak malicious code unnoticed into the registry.
I don't see how injecting yourself in the middle solves the problem, since exfiltrating data in the background from a downstream app is both necessary for some services and hard to identify as "bad".
What I'd like to see in a registry is a registration fee per project (or pay per publish), non-anonymous registration (provide a government issued ID and mandatory 2FA), delayed deployment after publishing, and aggressive but open auditing. Plus org/user namespacing.
Basically if you have an environment where a bad actor has to pay money, steal someone's identity, and takes awhile before they can even verify their attack has been successful - you'll cover a huge chunk of the attack surface area.
As for requiring real-world ID to spend money, why are you averse to that? AirBNB does that, your landlord does it, your bank does it. Does your employer do business with people anonymously? I think the bounds of privacy stop once you start shipping product to the world. If you want to remain anonymous, fine, go to an untrusted distribution channel where your code ca remain. If you want people to trust you, put some skin in the game.
Your second point is the exact opposite of what most OSS developers want. By and far, most OSS projects are small components that end up somewhere down the dependency tree. This means someone else (a-la React) would get the money while leaving smaller dependencies (a-la string utils) unfunded. This is the polar opposite of what maintainers want.
Your last point of wanting trust is a straw-man. I already made it clear in my previous reply: as an OSS developer, I do not care if people trust my code. There is simply no incentive for me to care about it. People consuming my packages reasonably do want some sort of validation, but that's their desire, not mine, so why would I pay for that?
If you have some incentive to share your code I assume it is you want your users to have and use your code. If you want them to use your code you want them to be able to trust that code too.
Because that's how open source works? People publish stuff somewhere and others can use it. Explicitly no warranties are made. Anyone who uses it does so at their own risk.
> If you want them to use your code you want them to be able to trust that code too.
Trust doesn't have to be paid for in a walled garden model. People can use my code because they audited it and found that it's good. Or they could just use it because they know my reputation and trust it.
Definitely. My question was "Why do they do it?". Nothing forces you to publish it. So there must be a reason why you do that. I assume it is because you want other people to use your software, for whatever reason.
So if you want people to use your software surely you want your software to be of high quality, which includes that people can know it is of high quality, which is where validation might help.
Whether you should pay for validation is a different question, I'm not saying you should.
> I assume it is because you want other people to use your software, for whatever reason.
No–as an OSS publisher I just want to make it possible for other people to use it. I don't necessarily have to want them to use it.
> ...surely you want your software to be of high quality
Again, not necessarily. It's a mix of factors–how much time and energy I have, how important the code is to me, whether I actually do want others to use it, etc. But there's nothing inherent in publishing OSS that says it has to be high-quality.
The problem with IDs and paying for registration is that this is specifically not a business, unless you're talking about a private registry that users also have to pay to consume.
If you have an environment where a good actor has to pay money, provide their passport name with proof of identity, and has to put up with artificial deployment delays, I think you'll miss out on a huge chunk of good actors.
I'm not convinced that it's possible to outsource your trust and audit decisions to some third-party system. We should be scaling at the speed of actual human trust, not giving up our privacy to companies or our security to randos.
And a fee is just a small bump in the way of bad actors that would like to monetize their misdeeds.
There is a time and place for anonymity, but I don't think a dependency registry is one of them (most of the time). And I think if you're going to make a new registry, such verification is a way to make yourself different.
The way you do that is by having signed packages. Gov IDs don't help with that, unless the registry verified the ID every time you published an update, which is impractical (unless you have a smart ID card, but most governments don't issue those).
People are attached to IDEs like no other tool; they won't leave their customizations, key bindings, themes and switch to an unproven alternative. This isn't true all the time, but holds 99.9% of the time.
Also, despite being fairly familiar with the JS ecosystem I am unable to make out what Pika does from the landing page. You probably need to do a better job of explaining the product.
This seemed fairly succinct:
> Pika is a new kind of package registry for the modern web
> 100% ESM
Here's some additional info: https://www.pika.dev/about
But using your fork of it instead? Not a chance.
By using their CDN you can already make pages and apps with just a text editor, without node, npm, webpack, etc.
I think it makes sense for them to try to improve the experience of package creation and publishing too.
Or is the idea to have a registry full of tutorial packages?
Pika CDN and @pika/cli can potentially make newbies' lives easier, but it doesn't mean that every project under the Pika umbrella is aimed exclusively at newbies.
> Pika is building a world where third-party libraries can be loaded, cached, and shared across sites.
Aren't most browsers disabling/about to disable cross-origin caching?
A tool like Pika isn't going to understand that without making broad assumptions of my project's structure. This is more than just, oh "Do I need ES Modules or Common JS?" or "That file needs to transpiled since it uses the spread operator, and I happen to be rendering on IE 11, which doesn't support that."
In other words, I find this to be an interesting solution, but not something I'd feel comfortable with in enterprise-grade applications.
Just learn how bundlers and transpilers work. It's going to be easier to do that, then understand why Pika won't do what you need it to, having to go through yet another layer of abstraction. I've been disappointed by tools in the past that try to abstract away the "difficult" parts of maintaining a webpack.config.js and babel.config.js file. I truly believe it is more beneficial for developers to learn these things, instead of trying to be ignorant of them and then fighting with a tool like Pika or a toolkit that doesn't meet your needs.
Choose for yourself the better choice, and make your own toolkit: https://kentcdodds.com/blog/concerning-toolkits
> "Pika is building a world where third-party libraries can be loaded, cached, and shared across sites" ... "With ESM and cross-origin caching, we can create a world where sites can share cached dependencies."
This is an interesting angle on a package registry. The goal seems difficult to achieve as well since the common web cache as we know it is dying. It seems like we'd need some sort of "dependency" support for web browsers if we'd ever want to achieve it.
All-in-all I love that design trends have gone this direction as I think it's a friendlier and more efficient means to convey information =)
Years ago skeuomorphism was a popular trend which is to try to make things 3D representing real-world objects (buttons, dials, etc). Although it's still highly prevalent in UI design, we've really backed off of the trend. A great example of this is early vs. current iOS. I mention this because there's a ton of great "skeuomorphism vs flat design" stuff out there discussing the ethos of sites like this.
It is present in the artwork too. Solid block colours and focus on geometric shapes. There are varients too (Facebook and Google do something similar, but their UX controls are sharper, but artwork similar design to this).
I think it's just a current trend in the SaaS world. Search for "SaaS website templates" and you'll find most of them have this same style.
* I don't know about European Portuguese.
The correct spelling for the slang would be "pica", but both have the same pronunciation.
Having a webpage that just spins up VSCode and allows us to publish and test in a registry might be just what we need, no?
I know lots of devs are different, but if I could do all my work in a web app and never install any development software in my laptop, I'd do it in a heartbeat.
The problem is, a) this makes it virtually impossible to use any dependencies from NPM on the front-end without a bundler, which means a minimum required amount of configuration and tooling, and b) you lose out on some potential caching benefits because files that may not change much can't be distinguished.
So why doesn't everyone just use the new modules syntax so that code can be loaded in the browser, as separate modules, without bundling? Because if even a single one of your NPM dependencies is still in the other syntax, you're up a creek. It's like the IPv6 problem: until everyone has it, nobody does.
So projects like (I think) Pika have cropped up to try and address this. If it really does auto-convert packages to the new modules syntax, that eliminates the biggest reason to use build tooling in a modern JS project. You could theoretically get away with having no build process at all.
I'm interested in importing packages directly instead of transpiling stuff in some cases, but I don't see how would that work.
I'll start using this thing.
* Not good enough HTTP2 support in browsers. Browser will for example download pushed files twice, once when pushed, then again when imported, and not caching the pushed files.
* Many developers prefer to brake their code up into small files, meaning there will be a lot of hops until the entire dependency tree has been resolved.
* There is no standard for lazy loading, meaning the user need to download everything, even if only 5% is actually required.
As much as a hate bundlers, and would like to see more code moduleability on the web, bundlers get the job done using code splitting, deduplication etc.
It seems like the niche served by a package manager/cdn that serves native ESM modules is rather small.
The code editor seems unnecessary too, but it's built on VSCode so it can probably be repurposed into an extension easily. Better tools for publishing packages are needed though, and I like how it helps setup a modern environment for creating packages.
Sadly, as others have noted, this Pika thing does not quite address these issues.
2 years is really not a long time, though it seems to be for the JS ecosystem.
I’m keen to see how Pika Code improves the end to end dev experience by presumably being tightly integrated with deployment. Remind me of Dark in a way.
npm init esm
npm init react-app
Also the only thing I can see without scrolling down is a "give me your email" box. Not a good sign.