<jfhbrook>
yeah no npm3 is a bit of a shitshow imo
<jfhbrook>
like they rewrote huge parts of it and now it's less battle-tested
<jfhbrook>
that said it does sound like the rewrites paid off some pretty serious tech debt that will have made this worth it
<jfhbrook>
like not-completely-broken bundledDependencies support
Sgeo__ has joined #elliottcable
Sgeo_ has quit [Ping timeout: 240 seconds]
<alva>
How does it improve upon the package managers that came before it?
gkatsev has quit [Ping timeout: 260 seconds]
gkatsev has joined #elliottcable
alexgordon has joined #elliottcable
brr has quit [Read error: Connection reset by peer]
brr has joined #elliottcable
<jfhbrook>
well, existing, for one
<jfhbrook>
there wasn't really a node package manager before npm, or at least npm was #2
<jfhbrook>
tj holowaychuk actually wrote an early node package manager
<jfhbrook>
it was probably accidental that npm "won"
<jfhbrook>
but one nice feature of npm that I haven't necessarily seen elsewhere at least in the same way is really granular semver ranges
<jfhbrook>
that combined with the turtles-all-the-way-down modules had some interesting consequences
<jfhbrook>
a lot of which were good
<jfhbrook>
some say you traded one kind of dependency hell for another
<jfhbrook>
I dunno
<jfhbrook>
but it's not like isaac decided to write a better maven
<jfhbrook>
at least insofar as him having the hubris to have seen this explosive growth coming
<jfhbrook>
or not having it, rather
ohhmaar_ has joined #elliottcable
nuck has joined #elliottcable
nuck is now known as Guest78515
creationix has quit [Ping timeout: 246 seconds]
ohhmaar has quit [Ping timeout: 246 seconds]
NuckingFuts has quit [Ping timeout: 246 seconds]
ohhmaar_ is now known as ohhmaar
incomprehensibly has quit [Ping timeout: 246 seconds]
krainboltgreene has quit [Ping timeout: 246 seconds]
creationix has joined #elliottcable
incomprehensibly has joined #elliottcable
krainboltgreene has joined #elliottcable
yrashk has quit [Quit: Connection closed for inactivity]
alexgordon has quit [Quit: My MacBook Pro has gone to sleep. ZZZzzz…]
fujisan has joined #elliottcable
Rurik has joined #elliottcable
Rorik has quit [Ping timeout: 244 seconds]
eligrey has quit [Quit: Leaving]
eligrey has joined #elliottcable
eligrey has quit [Quit: Leaving]
brixen has quit [Ping timeout: 244 seconds]
vigs has quit [Ping timeout: 244 seconds]
brixen_ has joined #elliottcable
vigs has joined #elliottcable
Sgeo__ has quit [Ping timeout: 252 seconds]
fujisan has quit [Quit: Connection closed for inactivity]
vigs has quit [Ping timeout: 244 seconds]
vigs has joined #elliottcable
Navarr has joined #elliottcable
Rorik has joined #elliottcable
Rurik has quit [Ping timeout: 246 seconds]
alexgordon has joined #elliottcable
alexgordon has quit [Quit: My MacBook Pro has gone to sleep. ZZZzzz…]
ohhmaar has quit [Ping timeout: 250 seconds]
ohhmaar has joined #elliottcable
<pikajude>
wooo, back on a sane OS
<pikajude>
with readable font rendering
meowrobot has joined #elliottcable
alexgordon has joined #elliottcable
alexgordon has quit [Client Quit]
alexgordon has joined #elliottcable
alexgordon has quit [Client Quit]
alexgordon has joined #elliottcable
alexgordon has quit [Quit: My MacBook Pro has gone to sleep. ZZZzzz…]
alexgordon has joined #elliottcable
eligrey has joined #elliottcable
eligrey has quit [Changing host]
eligrey has joined #elliottcable
alexgordon has quit [Read error: Connection reset by peer]
Navarr has quit [Quit: Connection closed for inactivity]
<alva>
jfhbrook: I guess I don't see why there needs to be one specifically for node.
<alva>
Especially one with so many problems. Unsigned packages that can be replaced? okay.bmp
<jfhbrook>
I mean *something* has to go into node_modules
<jfhbrook>
what do you propose, just shoehorning maven into it?
<jfhbrook>
that seems less than ideal
<alva>
I don't know, C, Haskell, Python libs seem to be happily packaged up in apt
<alva>
If nothing else, a fork of that seems like it'd be a better starting point
<jfhbrook>
apt is an awful shim for most of those
<jfhbrook>
haskell has cabal, python has pip (and a bunch of other crap)
<jfhbrook>
and using apt for python, at least, ends poorly, especially when you're dealing with locally-installed deps instead of system-wide ones
<jfhbrook>
(you almost never do system-wide deps with node)
<ELLIOTTCABLE>
hi loves
<alva>
Ok so how about a fork of Nix. Allows versions to coexist peacefully without duplication, per user or otherwise
<alva>
Hi ELLIOTTCABLE
<jfhbrook>
I'm aware of nix, it would still be a poor fit
<alva>
Ok I guess npm is the best we can do then
<alva>
<alva>
I don't node so don't mind me
<jfhbrook>
well no, obviously npm has problems
<jfhbrook>
but it Makes Sense to write a package manager *for* node
<jfhbrook>
fwiw I've tried repurposing npm for other systems because you can just use couchdb as the registry
<jfhbrook>
I had a really bad time, and not just because npm itself has problems
<ELLIOTTCABLE>
o7 alva!
<jfhbrook>
GOD FUCKING DAMN IT PAGERDUTY
<alva>
We have our own apt repos, for all our stuff. Works well.
<ELLIOTTCABLE>
pikajude, jfhbrook: wat
<alva>
Can update things swiftly and didn't have to reinvent wheels.
<pikajude>
hi
<purr>
pikajude: hi!
<jfhbrook>
I have 8+ triggered incidents because devops did a cutover on their NAT
<jfhbrook>
and sensu is **confused**
<ELLIOTTCABLE>
alva: oh god, python's is the worst
<ELLIOTTCABLE>
nearest to npm-quality is Ruby, afaik
<ELLIOTTCABLE>
I haven't used Nix yet, although I've heard good things
<jfhbrook>
nix is a chill alternative to things like apt
<ELLIOTTCABLE>
but all the *sane* system-package-managers say ‘please don't wrap libraries’, for really fucking obvious and good reasons
<jfhbrook>
where you can have a global store of your packages
<ELLIOTTCABLE>
pacman, Homebrew: “plz install using pip/cabal/npm, plz. don't install with brew/pacman.”
Sgeo__ has joined #elliottcable
<alva>
Nix's biggest problem is lack of packages imo
<ELLIOTTCABLE>
“just put it in apt?” ahahahah. no.
<alva>
ELLIOTTCABLE: I mean, there'it's different to have your own repo of your company's libs
<alva>
^W fail
<ELLIOTTCABLE>
honestly, I'm *really* impressed with npm
<ELLIOTTCABLE>
but there's one, subtle change (that someone in this room, actually, convinced me of), that I'm going to make for my slightly-npm-inspired packaging system for my work:
<ELLIOTTCABLE>
you won't be able to have <packaging system dependencies> for things that, themselves, are not published to the packaging system.
<ELLIOTTCABLE>
like, you'll literally have to open up the source code, and rip out disable/protections, if you want to try and `manager install <package>` in a project that isn't, itself, published to the registry.
<ELLIOTTCABLE>
because alexgordon has thoroughly convinced me that *end-of-the-line products* (basically, applications / sites / whatever) shouldn't be using package managers: they should be statically vendoring, and versioning, *all* of their dependencies.
<ELLIOTTCABLE>
package-managers, interdependency resolution … that's for *libraries*, and for one final *generation* of <static set of dependencies> for the end-product that uses some given set of those libraries.
<ELLIOTTCABLE>
I've also got some radical ideas on versioning, but ... not relevant rn
<alva>
Yeah. The only argument against that which makes a bit of sense is "but security!", I'm just not convinced it's more work to update a bunch of statically linked binaries than to update a dynamic library, if you've built your process for that.