Even in that case it would still seem better to allow unpublish and bump the version number, right?
Immutability (plus unpublish) would make the npm registery an even better place. On Thu, Dec 19, 2013 at 2:43 PM, Mikeal Rogers <[email protected]>wrote: > There have also been security issues where old packages were shipped with > sensitive information that needed to be ripped out. > > On Dec 18, 2013, at 5:07PM, Forrest L Norvell <[email protected]> > wrote: > > I agree that packages should rarely be changed, but in practice if there's > a major bug or the packaging gets totally botched (which has happened to me > a few ties), it's good to have the ability to fix the problem in-place. I'm > less enamored on the possibility of removing packages once they've been > published. That seems like it's almost always a bad idea, and I would be in > favor of altering the registry to disallow it. > > F > > > On Wed, Dec 18, 2013 at 12:41 PM, Tim Caswell <[email protected]> wrote: > >> If you want this level of static dependencies you can check in your deps >> into node_modules in your git tree or use git submodules in there. Git >> does guarantee that the thing you point to can't be changed because the >> hash *is* the hash of the content. If anything changes, the hash changes. >> >> >> On Wed, Dec 18, 2013 at 7:40 AM, Brian Lalor <[email protected]> wrote: >> >>> On Dec 18, 2013, at 7:23 AM, Richard Marr <[email protected]> >>> wrote: >>> >>> I'm working on an app where security is an issue, and among the (many) >>> things that I'm frothingly paranoid about is the possibility of malicious >>> (or more likely just untested) code somehow getting into our app, even >>> though we're using shrink-wrapped versions. It means we'll have to be much >>> more careful with the way we proxy the npm registry. >>> >>> >>> I’d like to know this, as well. One of the guarantees made by the Maven >>> central repository is that artifacts (packages) can check in, but they can >>> never check out. I frankly don’t think NPM provides this type of >>> assurance, but it should. Otherwise the only way an organization can trust >>> packages is to run their own repository. >>> >>> -- >>> Brian Lalor >>> [email protected] >>> >>> >>> -- >>> -- >>> Job Board: http://jobs.nodejs.org/ >>> Posting guidelines: >>> https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines >>> You received this message because you are subscribed to the Google >>> Groups "nodejs" group. >>> To post to this group, send email to [email protected] >>> To unsubscribe from this group, send email to >>> [email protected] >>> For more options, visit this group at >>> http://groups.google.com/group/nodejs?hl=en?hl=en >>> >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "nodejs" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> For more options, visit https://groups.google.com/groups/opt_out. >>> >> >> >> -- >> -- >> Job Board: http://jobs.nodejs.org/ >> Posting guidelines: >> https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines >> You received this message because you are subscribed to the Google >> Groups "nodejs" group. >> To post to this group, send email to [email protected] >> To unsubscribe from this group, send email to >> [email protected] >> For more options, visit this group at >> http://groups.google.com/group/nodejs?hl=en?hl=en >> >> --- >> You received this message because you are subscribed to the Google Groups >> "nodejs" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/groups/opt_out. >> > > > -- > -- > Job Board: http://jobs.nodejs.org/ > Posting guidelines: > https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines > You received this message because you are subscribed to the Google > Groups "nodejs" group. > To post to this group, send email to [email protected] > To unsubscribe from this group, send email to > [email protected] > For more options, visit this group at > http://groups.google.com/group/nodejs?hl=en?hl=en > > --- > You received this message because you are subscribed to the Google Groups > "nodejs" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > > -- > -- > Job Board: http://jobs.nodejs.org/ > Posting guidelines: > https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines > You received this message because you are subscribed to the Google > Groups "nodejs" group. > To post to this group, send email to [email protected] > To unsubscribe from this group, send email to > [email protected] > For more options, visit this group at > http://groups.google.com/group/nodejs?hl=en?hl=en > > --- > You received this message because you are subscribed to the Google Groups > "nodejs" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > -- -- Job Board: http://jobs.nodejs.org/ Posting guidelines: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines You received this message because you are subscribed to the Google Groups "nodejs" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/nodejs?hl=en?hl=en --- You received this message because you are subscribed to the Google Groups "nodejs" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
