319 private links
My honest assessment is that the Rust / Cargo leadership need to be bold, deprecate packages publishing to crates.io and move to a decentralized package distribution architecture.
There is no other way around. Rust needs to copy Go, it's as simple as that.
The second part of the solution, way harder and more expensive to implement is to release an extended standard library. We need to reduce the amount of third-party developers that we need to trust to release our software.
A workaround from now is to import rust crates from git itself, such as ring = { git = "https://github.com/briansmith/ring", version = "0.12" }
An alternative to NPM. It looks interesting because it does more than NPM for authors.
Compared to NPM, JSR has native typescript support, ESM Syntax, and some better contraints for interoperability.
More on https://jsr.io/docs/why
A wrapper that throws warnings about security risks
A package.json can be provided in order to scan dependencies. It searches for risks.
Checks how vulnerable is a package.
It provides informations to asses if a package is safe enough for the use case.
The tool provides analysis for each line of code too.
Find unused dependencies: npx depcheck
Or install the package and run the command.
There is also npm-check that checks for outdated, incorrect, and unused dependencies.
Example of usage of degit with a postinstall hook:
{
"scripts": {
"build": "eleventy",
"postinstall": "degit tryGhost/Ghost/core/frontend/src/cards/css node_modules/ghost-cards"
},
"dependencies": {
"@11ty/eleventy": "^1.0.0",
"degit": "^2.8.4"
}
}TL;DR
A timestamp is used to - Some zip programs does not work well with the Unix Epoch and Docker abuse of the zip files. So NPM fixed it by changing the default of mtime and ctime.
They use a specific timestamp: https://github.com/npm/cli/commit/58d2aa58d5f9c4db49f57a5f33952b3106778669
The best hypothesis is misstyping that installs the package - !
Publishing private packages as public ones to get the code executed !
J'ai pas compris les Workspaces 😅 Il y a le RFC correspondant sur Github qui explique bien la chose !
Mais on a :
- des commandes plus rapides avec l'utilisation d'un cache
- le moyen de déclarer que plusieurs modules dépendent d'une seule même version d'un module : les peerDependencies
- la logiqe d'installation des dépendances est un module
@npmcli/arborist - npx est intégré à npm via la commande `npm exec
find the cost of adding a npm package to your bundle