I have started working on a tiny lockfile-less package manager for JavaScript:
https://t.co/5BFTouVav7
It implements bare-bones `node_modules` installs with workspace support.
I am already using it for a couple of my open source packages `webpack-virtual-modules` and `mochapack`
@trevmanz@rahuldave Interesting, I've tried the same for JavaScript dependency resolution. It is deterministic (provided the registry publishing history is consistent). Plus, when new dependency added to the project and it is newer then point in time, minimum compatible version should be used.
It would be a great experiment if we appointed key maintainers with limited term powers to an open source project based on secure RNG (fair coin flipping) among the group of willing contributors. Contributors sense of ownership and user trust would increase in such a project.
@jasnell Have you considered fair coin flipping protocol to appoint TSC members with a limited term powers - to lower the risk of power misuse/foundation degradation in the long run?
Automattic Is Doing Open Source Dirty
https://t.co/BqX8UrrPEZ
I disagree with the author. I don't think Wordpress drama has serious risks for open source. Because the grounds for the drama is Trademark misuse (seems null and void legally), not open source license misuse.
@ematipico @NicoloRibaudo It's more a responsibility of a linter than a package manager. Package manager responsibility is to install dependencies satisfying package.json. Some people think that npm is exposing non-direct dependencies on purpose while it is doing so more for perf and min-space reasons.
@nev_nein @NicoloRibaudo If npm will not expose non-explicit dependencies this will result in bigger and slower installs. I'd say it is not a responsibility of a package manager, it is a responsibility of linting tools.
@NicoloRibaudo@kettanaito And if you try to do this in npm compatible way like Yarn does with `nmHoistingLimits: dependencies` you will end up with a bit bigger and slower installs and people will say, hey this package manager is "slower", why should we use it, so not enabled by default as well.
@NicoloRibaudo@kettanaito pnpm uses alternative install layout, which has problems with symlinks, not all of the packages handle them well, so suggested "cure" might be not better then the "disease".
@arcanis So it should prefer dependency versions before `lockTime` in all cases, except those cases where it is impossible. And where it is impossible - lowest in the requested range will be downloaded.
Lockfiles used in JavaScripts projects can be harmful from security and stability perspectives. You have machine generated data in your repository that is used for package manager decisions to download additional code. (1/4)
@arcanis When you add unrelated dependency years later it will get the highest version of the dependency that existed at `lockTime` moment and all the other dependencies will not be affected.
it does not mix dependencies from the future with dependencies from distant path, thus reducing bugs and increasing stability. So it has not only security, but also compatibility benefits.
(4/4)
`lockTime` field is used instead in the `package.json` to fixate the time of the install, dependencies having the highest versions that existed before this time point are used. This approach picks the dependencies from the same time epoch - versions that existed together
(3/4)