rfcs VS patch-package

npm workspaces plus Wireit works far better than Lerna, in my experience.

https://github.com/google/wireit

Wireit's ability to specify actual script dependencies, do caching (and on Github actions), and it's long-running service script support make it much more useful and comprehensive than Lerna.

I agree that this should be built into npm. There's an RRFC for it here: https://github.com/npm/rfcs/issues/706

It's coming https://github.com/npm/rfcs/blob/main/accepted/0042-isolated-mode.md

This just got accepted as a proposal in NPM: https://github.com/npm/rfcs/pull/626

npm also plans to support pnpm-style node_modules

(I usually end up removing npm ci from CI/CD since I think it is way too slow and want to cache node_modules from previous builds; I'm waiting for https://github.com/npm/rfcs/issues/415 to land to make this fail-safe npm install --from-lockfile. Yarn does support this already)

I started following this problem from the discussion at npm about making install scripts opt-in. But install scripts are not the only threat, there are more ways for malicious actors:

In order to allow users to use their device as a controller to adjust the position of the camera and find stars, I use the depreciated DeviceOrientationControls by patching it back into Three. In order for DeviceOrientationControls to function, we need access the user to grant access to their device's orientation. I attempt to gain access to this, alongside their camera, during a previous step of the UX using a custom composable I wrote for this purpose. You can see that permission step in the mockup video above. Once this permission is granted, we can initialize our DeviceOrienationControls with a single line.

If you use Yarn, there’s the `yarn patch` command [1], which lets you maintain patches for your dependencies. Even though I try to upstream patches wherever possible, sometimes you just want to apply a quick patch and move on, especially if the dependency is poorly maintained or even worse, deeply nested in your dependency hierarchy. I use `yarn patch` regularly, it’s one of the main reasons why I moved to Yarn in the first place.

If you’re not using Yarn, there seems to be a similar thing on npm, `patch-package`. [2] I never had to use that though.

[1]: https://yarnpkg.com/cli/patch

[2]: https://www.npmjs.com/package/patch-package

You can use patch-package to edit the part of the library.

patch-package

NPM doesn't have a patch command, but you can use patch-package to achieve the same result.

If there's issue ticket discussing it and someone can fix it, ask for patch file and use patch-package to patch it

You can try this (I highly recommend you to use the Patch Package library to track changes on any external library that you are using. (https://www.npmjs.com/package/patch-package)