I agree that packages should rarely be changed, but in practice if there's a major bug or the packaging gets totally botched (which has happened to me a few ties), it's good to have the ability to fix the problem in-place. I'm less enamored on the possibility of removing packages once they've been published. That seems like it's almost always a bad idea, and I would be in favor of altering the registry to disallow it.
F On Wed, Dec 18, 2013 at 12:41 PM, Tim Caswell <[email protected]> wrote: > If you want this level of static dependencies you can check in your deps > into node_modules in your git tree or use git submodules in there. Git > does guarantee that the thing you point to can't be changed because the > hash *is* the hash of the content. If anything changes, the hash changes. > > > On Wed, Dec 18, 2013 at 7:40 AM, Brian Lalor <[email protected]> wrote: > >> On Dec 18, 2013, at 7:23 AM, Richard Marr <[email protected]> wrote: >> >> I'm working on an app where security is an issue, and among the (many) >> things that I'm frothingly paranoid about is the possibility of malicious >> (or more likely just untested) code somehow getting into our app, even >> though we're using shrink-wrapped versions. It means we'll have to be much >> more careful with the way we proxy the npm registry. >> >> >> I’d like to know this, as well. One of the guarantees made by the Maven >> central repository is that artifacts (packages) can check in, but they can >> never check out. I frankly don’t think NPM provides this type of >> assurance, but it should. Otherwise the only way an organization can trust >> packages is to run their own repository. >> >> -- >> Brian Lalor >> [email protected] >> >> -- >> -- >> Job Board: http://jobs.nodejs.org/ >> Posting guidelines: >> https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines >> You received this message because you are subscribed to the Google >> Groups "nodejs" group. >> To post to this group, send email to [email protected] >> To unsubscribe from this group, send email to >> [email protected] >> For more options, visit this group at >> http://groups.google.com/group/nodejs?hl=en?hl=en >> >> --- >> You received this message because you are subscribed to the Google Groups >> "nodejs" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/groups/opt_out. >> > > -- > -- > Job Board: http://jobs.nodejs.org/ > Posting guidelines: > https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines > You received this message because you are subscribed to the Google > Groups "nodejs" group. > To post to this group, send email to [email protected] > To unsubscribe from this group, send email to > [email protected] > For more options, visit this group at > http://groups.google.com/group/nodejs?hl=en?hl=en > > --- > You received this message because you are subscribed to the Google Groups > "nodejs" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > -- -- Job Board: http://jobs.nodejs.org/ Posting guidelines: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines You received this message because you are subscribed to the Google Groups "nodejs" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/nodejs?hl=en?hl=en --- You received this message because you are subscribed to the Google Groups "nodejs" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
