admin管理员组文章数量:1401307
I was reading an article on how the author of a popular npm package (left-pad) caused apps to break after he deleted his package.
How could this be the case? Isn't an npm package's code locally downloaded when you npm install --save? The only case where I'd imagine this being a problem would be for those who were using the project via CDN. Are my assumptions correct?
src article: /
I was reading an article on how the author of a popular npm package (left-pad) caused apps to break after he deleted his package.
How could this be the case? Isn't an npm package's code locally downloaded when you npm install --save? The only case where I'd imagine this being a problem would be for those who were using the project via CDN. Are my assumptions correct?
src article: https://www.theregister.co.uk/2016/03/23/npm_left_pad_chaos/
Share Improve this question edited Feb 5, 2019 at 20:27 lightspeed asked Feb 5, 2019 at 20:26 lightspeedlightspeed 3134 silver badges11 bronze badges 14- When you do npm install {anything} it downloads the package into your node_modules folder locally and will continue to run. The --save option ensures that your package.json file reflects the exact version you used in your project. This is relevant when someone installs your module, they'll get the same version instead of the latest. If the package is deleted and yours depends on it, that would then cause an issue when someone tries to install your package from scratch (because they'll need to download the now deleted package) – Nick Dima Commented Feb 5, 2019 at 20:27
- Yes, but continuous integration suites usually re-download everything to make sure they have a clean slate to to tests with. Those tests and fresh deploys instantly broke. – zero298 Commented Feb 5, 2019 at 20:29
- Why would it be an issue if the source code is installed locally in the node_modules folder? – lightspeed Commented Feb 5, 2019 at 20:30
-
1
@lightspeed because during build process you generally
npm install. Well, think about it. It will try to download the deleted package and fail because it doesn't exist. – Isaac Vidrine Commented Feb 5, 2019 at 20:30 -
2
@lightspeed in an automated deployment, yes, but I mean you could always ssh into the machine and manually update and start the app. But the whole point of a CI/CD environment is that you can push code to source control and have the build/deployment process automated. All you should have to do is
git push. Nik Kyriakides stated it beautifully. – Isaac Vidrine Commented Feb 5, 2019 at 20:49
1 Answer
Reset to default 7Most projects don't mit the actual modules to source control
The node_modules folder is usually not uploaded on source control such as Git or SVN. It's quite often a humongous folder and it would be cumbersome to push/pull it each time.
Plus some modules contain C++ code and are piled upon installation to the user's OS. I might have a different OS than the user that installed it, hence that module wouldn't work if I blindly downloaded his own piled version of that module from source control.
Instead a small config. file such as package.json is included which describes which modules are required for the project. When you run $ npm install, the package manager (npm or yarn) then reads that file and starts downloading the modules it references.
Each time the project gets deployed or cloned, the machine downloads the source code from it's repository but without the modules (since they're not on source control) and then a human or a machine runs $ npm install to also get the dependent/required modules.
Projects get deployed and built all the time
Now, projects get deployed on remote servers all the time; i.e deploying the project to a production server or it's tests run on a remote CI server or even cloned by other developers on their local machines. Projects I work on get deployed & tested on a remote CI server at the very least 5 times a day; every time we push a mit to the remote repository.
Since that user deleted his much dependent-on module, a lot of $ npm installs around the globe started to fail. A lot of people couldn't push updates to projects on their production server, other developers couldn't get the project on their machine so they can work on it etc...
As a safeguard against these issues, npm introduced a policy that prohibits un-publishing modules that are more than 72h old:
From npm:
Registry data is immutable, meaning once published, a package cannot change. We do this for reasons of security and stability of the users who depend on those packages. So if you've ever published a package called "bob" at version 1.1.0, no other package can ever be published with that name at that version. This is true even if that package is unpublished. However, because accidents happen we've allowed a 72 hour window for users to unpublish packages they have just created.
本文标签: javascriptWhat happens when an npm package is deletedStack Overflow
版权声明:本文标题:javascript - What happens when an npm package is deleted? - Stack Overflow 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1744209803a2595366.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。
发表评论