Introducing npx: an npm package runner
[You can also read this post in Russian.] Those of you upgrading npm to its latest version, npm@5.2.0, might notice that it installs a new binary alongside the usual npm: npx. npx is a tool intended to help round out the experience of using packages from the npm registry — the same way npm makes it super easy to install and manage dependencies hosted on the registry, npx makes it easy to use CLI t
The npm Blog — Learn more about npm’s lockfiles
npm5 was recently released with Node 8 and you may have noticed that there’s a new file to play around with! npm5 introduces a lockfile, package-lock.json that keeps a record of every dependency your project uses and what version you have currently installed. Before npm5, this was behavior you could only get from npm shrinkwrap . You can read the docs on these here: npm package locks package-lock.
Yarn determinism
For Yarn 2+ docs and migration guide, see yarnpkg.com. Posted May 31, 2017 by Sebastian McKenzie One of the claims that Yarn makes is that it makes your package management “deterministicâ€. But what exactly does this mean? This blog post highlights how both Yarn and npm 5 are deterministic, but differ in the exact guarantees they provide and the tradeoffs they have chosen. What is determinism? Dete
npm Blog Archive: v5.0.0
The npm blog has been discontinued. Updates from the npm team are now published on the GitHub Blog and the GitHub Changelog. Wowowowowow npm@5! This release marks months of hard work for the young, scrappy, and hungry CLI team, and includes some changes we’ve been hoping to do for literally years. npm@5 takes npm a pretty big step forward, significantly improving its performance in almost all comm
Release v5.0.0 · npm/npm
Wowowowowow npm@5! This release marks months of hard work for the young, scrappy, and hungry CLI team, and includes some changes we've been hoping to do for literally years. npm@5 takes npm a pretty big step forward, significantly improving its performance in almost all common situations, fixing a bunch of old errors due to the architecture, and just generally making it more robust and fault-toler
Yarn vs npm - which Node package manager to use in 2018? - RisingStack Engineering
With the v7.4 release, npmnpm is a software registry that serves over 1.3 million packages. npm is used by open source developers from all around the world to share and borrow code, as well as many businesses. There are three components to npm: the website the Command Line Interface (CLI) the registry Use the website to discover and download packages, create user profiles, and... 4 became the bund
Home page | Yarn
Yarn is a package manager that doubles down as project manager. Whether you work on simple projects or industry monorepos, whether you're an open source developer or an enterprise user, Yarn has your back. This documentation covers Yarn 4+. For the previous documentation dedicated to 3.6 and below, please refer to v3.yarnpkg.com. WorkspacesFirst package manager built specifically around workspaces
npm Blog Archive: Hello, Yarn!
The npm blog has been discontinued. Updates from the npm team are now published on the GitHub Blog and the GitHub Changelog. Today, Facebook announced that they have open sourced Yarn, a backwards-compatible client for the npm registry. This joins a list of other third-party registry clients that include ied, pnpm, npm-install and npmd. (Apologies if we missed any.) Yarn’s arrival is great news fo
Yarn: A new package manager for JavaScript
In the JavaScript community, engineers share hundreds of thousands of pieces of code so we can avoid rewriting basic components, libraries, or frameworks of our own. Each piece of code may in turn depend on other pieces of code, and these dependencies are managed by package managers. The most popular JavaScript package manager is the npm client, which provides access to more than 300,000 packages
What Happened When I Peeked Into My Node_Modules Directory
Photo: Mint Images/Getty ImagesThe left-pad fiasco shook the JavaScript community to its core when a rouge developer removed a popular module from npm, causing tens of projects to go dark. While code bloat continues to slow down our websites, drain our batteries, and make “npm install†slow for a few seconds, many developers like myself have decided to carefully audit the dependencies we bring int
npm Blog Archive: dealing with problematic dependencies in a restricted network environment
The npm blog has been discontinued. Updates from the npm team are now published on the GitHub Blog and the GitHub Changelog. When using npm Enterprise, we sometimes encounter public packages in our private registry that need to fetch resources from the public internet when being installed by a client via npm install. Unfortunately, this poses a problem for developers who work in an environment wit
npm Blog Archive: changes to npm’s unpublish policy
The npm blog has been discontinued. Updates from the npm team are now published on the GitHub Blog and the GitHub Changelog. Note: as of January 30, 2020, the unpublish policy has been updated. One of Node.js’ core strengths is the community’s trust in npm’s registry. As it’s grown, the registry has filled with packages that are more and more interconnected. A byproduct of being so interdependent
npm Blog Archive: Package install scripts vulnerability
The npm blog has been discontinued. Updates from the npm team are now published on the GitHub Blog and the GitHub Changelog. Disclaimer: we had been told this vulnerability would be disclosed on Monday, not Friday, so this post is a little rushed and may be edited later. As disclosed to us in January and formally discussed in CERT vulnerability note VU#319816, it is possible for a maliciously-writ
Vulnerability Note VU#319816 - npm fails to restrict the actions of malicious npm packages
Vulnerability Note VU#319816 Original Release Date: 2016-03-26 | Last Revised: 2016-03-26 npm allows packages to take actions that could result in a malicious npm package author to create a worm that spreads across the majority of the npm ecosystem. npm is the default package manager for Node.js, which is a runtime environment for developing server-side web applications. There are several factors
npm Blog Archive: kik, left-pad, and npm
The npm blog has been discontinued. Updates from the npm team are now published on the GitHub Blog and the GitHub Changelog. Earlier this week, many npm users suffered a disruption when a package that many projects depend on — directly or indirectly — was unpublished by its author, as part of a dispute over a package name. The event generated a lot of attention and raised many concerns, because of
A discussion about the breaking of the Internet
Hey everyone — I’m the head of messenger at Kik. I wish this didn’t have to be my first post on Medium, but open source is something that I care about. I’ve published a few meager open source projects in the past, things that aren’t groundbreaking but that I thought might be useful to other people, and I rely on countless others every day. I found out about this problem like a lot of you, when our
How to not break the internet with this one weird trick
SourceEveryone involved here has my sympathy. The situation sucks for everyone, not least Azer (who owes none of you ingrates a damn thing!). But reading the GitHub thread should leave you thoroughly exasperated, because this problem is very easily solved. Bundle your code, even if it’s not for the browserJust to recap: left-pad was unpublishedBabel uses fixed versions of its dependencies, one of
ランã‚ング
ランã‚ング
ランã‚ング
リリースã€éšœå®³æƒ…å ±ãªã©ã®ã‚µãƒ¼ãƒ“スã®ãŠçŸ¥ã‚‰ã›
最新ã®äººæ°—エントリーã®é…ä¿¡
j次ã®ãƒ–ックマーク
kå‰ã®ãƒ–ックマーク
lã‚ã¨ã§èªã‚€
eコメント一覧を開ã
oページを開ã
npm Blog Archive: upcoming change: verified email required
Package a module for npm in CommonJS/ES2015/UMD with babel and rollup | Topheman JS
spec: Describe npm-shrinkwrap.json and package-lock.json by iarna · Pull Request #16441 · npm/npm
{{#tags}}- {{label}}
{{/tags}}