feedback VS rfcs

no-one-left-behind[1] was not even a year ago, and yet the link on npm[2] explaining why it was removed is already broken. Classic JS ecosystem.

1: https://github.com/npm/feedback/discussions/858

2: https://www.npmjs.com/package/no-one-left-behind

I created a new discussion in the npm/feedback repo to share my idea. I also mentioned my idea in relevant discussions: npm scores, Weird search behavior with stats, and Improve search functionality on npmjs.com.

We encourage you to open a discussion if you have suggestions for how we can improve npm. You don't need to have a solution to the problem you are facing to kick off a discussion. We are hoping to foster productive and collaborative conversations, so please check out how to give good feedback if you want some guidance on how to kick off a successful discussion.

There is an ongoing discussion about 2FA and possible bandaids for this sort of problem in the npm community forum: https://github.com/npm/feedback/discussions/588

See - https://github.com/npm/feedback/discussions/191

Now there have been some discussions around to mitigate these things which might have gone side ways like https://npm.community/t/blacklist-entire-packages/9659/4 and https://github.com/npm/feedback/discussions/272. Of course there might be tools which you can use, such as running a commercial npm registry in proxy mode with blacklisting support. But what are the basic features you have as a developer that can be use to mitigate these things ?

This is likely the issue as npm 7 auto installs peer dependencies, which will fail on conflicting dependents.

npm workspaces plus Wireit works far better than Lerna, in my experience.

https://github.com/google/wireit

Wireit's ability to specify actual script dependencies, do caching (and on Github actions), and it's long-running service script support make it much more useful and comprehensive than Lerna.

I agree that this should be built into npm. There's an RRFC for it here: https://github.com/npm/rfcs/issues/706

It's coming https://github.com/npm/rfcs/blob/main/accepted/0042-isolated-mode.md

This just got accepted as a proposal in NPM: https://github.com/npm/rfcs/pull/626

npm also plans to support pnpm-style node_modules

(I usually end up removing npm ci from CI/CD since I think it is way too slow and want to cache node_modules from previous builds; I'm waiting for https://github.com/npm/rfcs/issues/415 to land to make this fail-safe npm install --from-lockfile. Yarn does support this already)

I started following this problem from the discussion at npm about making install scripts opt-in. But install scripts are not the only threat, there are more ways for malicious actors: