Conversation

Notices

Embed this notice
keithzg (keithzg@fediverse.keithzg.ca)'s status on Thursday, 29-Jun-2023 00:33:48 JST keithzg

I've said it before, I'll say it again: use distro package managers. Do not use language-specific package managers. FOR FUCKS SAKE DO NOT USE NPM! https://blog.vlt.sh/blog/the-massive-hole-in-the-npm-ecosystem
In conversation Thursday, 29-Jun-2023 00:33:48 JST from fediverse.keithzg.ca permalink
Attachments
1. Domain not in remote thumbnail source whitelist: blog.vlt.sh
  
  The massive bug at the heart of the npm ecosystem
  
  An overview of the new features released in v1 - code block copy, multiple authors, frontmatter layout and more
- Embed this notice
  feld (feld@bikeshed.party)'s status on Thursday, 29-Jun-2023 00:33:47 JST feld
  in reply to
  
  Yeah but this is literally *impossible* to do.
  
  We cannot put all these packages in distro package managers. Especially because we need every version of all of these packages because so many libraries in these languages don't properly follow SEMVER so we can't just say "oh, 1.0 of this nodejs-widget should be compatible with all these things" -- because it's not. They all need the specific versions of the packages that they were pinned to or you're asking for a free vacation to the 9 circles of hell
  
  In conversation Thursday, 29-Jun-2023 00:33:47 JST permalink
- Embed this notice
  feld (feld@bikeshed.party)'s status on Thursday, 29-Jun-2023 00:40:16 JST feld
  in reply to
  - feld
  There once was a plan to extend the FreeBSD pkg manager to directly integrate with Rubygems, Pypi, CPAN, NPM, etc so it would just be automagic and there would be a single source of truth everything -- pkg itself.
  
  I wasn't directly involved in that so I'm not sure what happened. I still wish it had that capability, but you're just inheriting the security problems of those other tools.
  
  In conversation Thursday, 29-Jun-2023 00:40:16 JST permalink

Public

Notices

Feeds