feedback
rfcs
feedback | rfcs | |
---|---|---|
10 | 35 | |
138 | 718 | |
2.2% | 0.6% | |
1.8 | 5.7 | |
5 months ago | 13 days ago | |
JavaScript | ||
Creative Commons Attribution 4.0 | GNU General Public License v3.0 or later |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
feedback
-
'everything' blocks devs from removing their own NPM packages
no-one-left-behind[1] was not even a year ago, and yet the link on npm[2] explaining why it was removed is already broken. Classic JS ecosystem.
1: https://github.com/npm/feedback/discussions/858
2: https://www.npmjs.com/package/no-one-left-behind
- Termux and nvm
-
Better npm search proposal
I created a new discussion in the npm/feedback repo to share my idea. I also mentioned my idea in relevant discussions: npm scores, Weird search behavior with stats, and Improve search functionality on npmjs.com.
-
Badge on NPM packages to show support for ES modules
We encourage you to open a discussion if you have suggestions for how we can improve npm. You don't need to have a solution to the problem you are facing to kick off a discussion. We are hoping to foster productive and collaborative conversations, so please check out how to give good feedback if you want some guidance on how to kick off a successful discussion.
-
Popular 'coa' NPM library hijacked to steal user passwords
There is an ongoing discussion about 2FA and possible bandaids for this sort of problem in the npm community forum: https://github.com/npm/feedback/discussions/588
- [Question] Response timeouts for packages with package-lock file
-
Dependency issues/warnings with setting up Gatsby + Tailwind
See - https://github.com/npm/feedback/discussions/191
-
Choosing the right runtime matters
Now there have been some discussions around to mitigate these things which might have gone side ways like https://npm.community/t/blacklist-entire-packages/9659/4 and https://github.com/npm/feedback/discussions/272. Of course there might be tools which you can use, such as running a commercial npm registry in proxy mode with blacklisting support. But what are the basic features you have as a developer that can be use to mitigate these things ?
-
Cannot Add Angular Material, can you tell me what this means?
This is likely the issue as npm 7 auto installs peer dependencies, which will fail on conflicting dependents.
rfcs
-
Yarn 4.0
npm workspaces plus Wireit works far better than Lerna, in my experience.
https://github.com/google/wireit
Wireit's ability to specify actual script dependencies, do caching (and on Github actions), and it's long-running service script support make it much more useful and comprehensive than Lerna.
I agree that this should be built into npm. There's an RRFC for it here: https://github.com/npm/rfcs/issues/706
-
NPM vs Yarn?
It's coming https://github.com/npm/rfcs/blob/main/accepted/0042-isolated-mode.md
-
How do you know that the .exe or .apk file for an open source software on github is actually compiled from the viewable source code?
This just got accepted as a proposal in NPM: https://github.com/npm/rfcs/pull/626
-
Why aren't Node.js package managers interoperable?
npm also plans to support pnpm-style node_modules
-
Axios shipped a buggy version and it broke many productions apps. Let this be a lesson to pin your dependencies!
(I usually end up removing npm ci from CI/CD since I think it is way too slow and want to cache node_modules from previous builds; I'm waiting for https://github.com/npm/rfcs/issues/415 to land to make this fail-safe npm install --from-lockfile. Yarn does support this already)
- How to run multiple NPM commands simultaneously using concurrently
- [RRFC] Parallel script execution when value is set to an array of text. · Issue #610 · npm/rfcs
- Lerna has gone. Which Monorepo is right for a Node.js BACKEND now?
- NPM introduces a new Dependency Selector Syntax
-
How to respond to growing supply chain security risks?
I started following this problem from the discussion at npm about making install scripts opt-in. But install scripts are not the only threat, there are more ways for malicious actors:
What are some alternatives?
Data-Science-For-Beginners - 10 Weeks, 20 Lessons, Data Science for All!
vm2 - Advanced vm/sandbox for Node.js
Covenant - Covenant is a collaborative .NET C2 framework for red teamers.
pnpm - Fast, disk space efficient package manager
awesome-haskell-sponsorship - 💝 Haskell profiles to sponsor
corepack - Zero-runtime-dependency package acting as bridge between Node projects and their package managers
copilot.vim - Neovim plugin for GitHub Copilot
Cargo - The Rust package manager
typometer - Text / code editor typing latency analyzer
GHSA-g2q5-5433-rhrf
action-automatic-release - GitHub Action for creating automatic releases and changelogs
SES-shim - Endo is a distributed secure JavaScript sandbox, based on SES