11
votes
Accepted
Adding library as dependency only to use one function
This really really depends and has to be decided on a case by case basis. Also, the modern JavaScript ecosystem has a strong bias towards using tiny libraries, so conventions from other ecosystems do ...
- 136k
10
votes
Accepted
Best ways to deal with unexpected bugs in already published npm packages
v0.1.0 being useless is far better than v0.1.0 working for some people and not for others depending on when they downloaded it. The whole point of versioning is avoid that confusion.
Once it's ...
- 120k
6
votes
How to warn devs after installing or updating npm packages?
Looks like you may have an X-Y problem here.
Your actual problem is that it happens (often? sometimes?) that the build environment isn't cleaned after installing or updating packages.
You think that ...
- 18.6k
6
votes
Should published npm packages target ES5 syntax?
There is only one rule which is that you publish what makes sense to you.
What makes sense to you is typically a trade-off between what features you expect your users to have available and what (lack ...
- 105k
6
votes
Accepted
What pattern lets each of multiple "voters" decide on a central status?
What is a pattern?
A pattern is not different from any other code you use in your application. The only difference is that somebody said "this is now called [x] pattern" and then that name has been ...
- 2,598
5
votes
Why do most package managers not keep a single reusable library with different versions of each package?
Virtual environments (and equivalent) are supposed to be isolated. Sure, most package managers, even pip do download data into a single place. But then each virtual env gets its own isolated copy.
...
- 3,085
4
votes
Should I put docker commands in my package.json?
If it's an entirely private Node module, and it works for you, then go ahead.
However, I'd say the "correct" answer is No because if you published the module (even to a private corporate npm repo), ...
- 3,109
4
votes
Accepted
Publishing versions out of order
Yes, you can. As johnrsharpe mentioned, this allows you to publish bugfixes on old versions, as well as concurrently release multiple testing versions.
Which is considered latest? From npm publish:
...
- 750
4
votes
Accepted
How is a reproducible build guaranteed with version ranges in NPM?
It's possible by having two distinct lists of dependencies, one with ranges, and one with specific versions, known as a lockfile.
Version ranges are helpful for libraries so that bug patches in your ...
- 360
3
votes
Accepted
Change semver versioning after dropping node eninge versions
Will dependents who are building at lower node engine versions have any problems after my update?
That depends on how you are using that dependency that caused the update. If that dependency is only ...
3
votes
How is a reproducible build guaranteed with version ranges in NPM?
The problem now is I find it hard to rectify the use of version ranges with the idea of having reproducible builds.
It is obviously impossible.
how it is ever possible to have reproducible builds ...
- 105k
2
votes
continuous deployment of web application built with multiple packages
A solution I see to this is having your CI/CD process on the main package ensure child packages are updated. Using semantic versioning you could set and fixate your package version major version and ...
- 410
2
votes
Adding library as dependency only to use one function
Regardless of other concerns, using a javascript library will only save you time (and ergo money) if you don't check the code, and every subsequent update, for security risks.
So you are really ...
- 84.4k
2
votes
How is a reproducible build guaranteed with version ranges in NPM?
You can have a reproducible build and version ranges for your dependencies, so long as each build does not reinstall dependencies.
The version range is a setting in a config file, but a build is more ...
- 46.1k
2
votes
Publishing packages for personal and commercial use
In most jurisdictions, software that was written as part of your employment duties (aka your job) belongs to your employer. That means that you are not allowed to publish that software in any way ...
2
votes
How to declare the need of polyfills publishing jquery plugin (and specially for webpack users)?
First, document the browsers you support. Below that include a section in your documentation about how to support older browsers. Here you can list the features for which pollyfills are required.
...
- 46.1k
2
votes
How do you reduce security risks when using NPM packages in commercial Web development?
The only truly secure option for working with NPM (or other package managers) is to not use them directly. You need a private repository for every package you use and you need to scan it with every ...
- 13.5k
1
vote
What are the benefits of keeping npm packages up-to-date?
There can be many benefits to updating your packages. But, of course, there can also be some downsides. We'll take a look at both as well as some considerations for picking a package version, which ...
- 137
1
vote
Best ways to deal with unexpected bugs in already published npm packages
Publish a fixed version, and issue a deprecation warning for the old one.
(Deprecation warnings should only be issued for severe issues, but "breaks the entire package" certainly qualifies)
...
- 4,368
1
vote
Best ways to deal with unexpected bugs in already published npm packages
To a package developer, even more so than your average library developer, prior versions don’t exist except insofar as you wish to avoid unnecessary breaking changes.
If version x-1 is broken, that is ...
- 11.2k
1
vote
How do you reduce security risks when using NPM packages in commercial Web development?
For most organizations, it will be very difficult to assess vulnerabilities on your own in a vacuum to the level of rigor you desire. Even if you can assess the trustworthiness of a specific package ...
- 139
1
vote
How do you reduce security risks when using NPM packages in commercial Web development?
Relevant to point out: it was confirmed in comments that OP is concerned with the risk of security vulnerabilities.
Package management is one of those things that can cause a lot of paperwork and ...
- 59.5k
1
vote
Should a process be responsible for scheduling itself?
Pretty much anything that aligns with build/deploy cycle should be made part of it. In lieu of any other considerations, I see no reason to require a separate management of such things. I find your ...
- 30.9k
1
vote
Accepted
How do you work with closing pools/connections?
Yes, you'd "close" (or release) the Connection - the Pool maintains a list of Connections for your application to use (FIFO queuing the request if no Connection is available). It's semantic -...
- 143
1
vote
What pattern lets each of multiple "voters" decide on a central status?
What you're probably looking for is a Consensus Algorithm.
Consensus is a problem in all distributed systems. Consider the problem of data consistency in microservices. In an ideal world, each ...
- 201k
1
vote
Correct way to serve file that's in node_modules
Well, I solved this with Laravel Mix:
in the webpack.mix.js
mix.copy('node_modules/cryptocurrency-icons/svg/color/', 'public/img/coins');
- 111
1
vote
Managing private NPM packages and CI/CD
We used the .npmrc file to define multiple repositories with different logins. (works for yarn too)
That means we have for example two dependencies, a public hosted one and a private hosted one. ...
- 1,584
Only top scored, non community-wiki answers of a minimum length are eligible