Tag: Dependencies

npm 5: Lockfiles Finally Arrive

Post author By Shishir Sharma
Post date January 18, 2017
No Comments on npm 5: Lockfiles Finally Arrive

npm 5 is shipping with package-lock.json, and the irony isn't lost on anyone. After Yarn forced npm's hand by introducing lockfiles in October 2016, npm is finally catching up. This is competition working exactly as intended—but it also exposes some uncomfortable truths about JavaScript dependencies.

What Changed

npm 5 introduces package-lock.json which locks down the entire dependency tree. Run npm install on any machine with the lockfile, and you get identical versions of every package, including transitive dependencies. This matches what Yarn's yarn.lock has been doing since launch.

{
  "name": "my-app",
  "version": "1.0.0",
  "lockfileVersion": 1,
  "dependencies": {
    "lodash": {
      "version": "4.17.4",
      "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.4.tgz",
      "integrity": "sha1-eCA6TRwyiuHYbcpkYONptX9AVa4="
    }
  }
}

The performance improvements are also significant. npm 5 is noticeably faster than npm 4, though still not quite matching Yarn's speed.

Tags Dependencies, JavaScript, npm, package-lock, Yarn

JavaScript npm Open Source

The left-pad Incident: npm’s Single Point of Failure

Post author By Shishir Sharma
Post date February 17, 2016
No Comments on The left-pad Incident: npm’s Single Point of Failure

This week, the JavaScript ecosystem had a wake-up call. A developer unpublished a tiny npm package—11 lines of code—and broke thousands of projects including major ones like Babel and React. The incident exposed fundamental fragility in how npm dependencies work.

The technical fix was quick. The implications aren't.

What Happened

Tags Dependencies, JavaScript Ecosystem, left-pad, npm, Open Source

JavaScript Node.js Tooling

npm 3: Flatter Dependencies (Finally)

Post author By Shishir Sharma
Post date February 17, 2015
No Comments on npm 3: Flatter Dependencies (Finally)

npm 3 is in beta, and the biggest change is how it handles dependencies. Instead of deeply nested trees, npm 3 tries to flatten them. This seemingly small change has significant implications for how we use npm, especially for frontend code.

The Nested Dependency Problem

Tags Dependencies, Node.js, npm, Package Management

JavaScript Tooling Web Development

Bower and the Frontend Package Management Problem

Post author By Shishir Sharma
Post date April 11, 2013
No Comments on Bower and the Frontend Package Management Problem

Twitter released Bower six months ago, and it's gaining traction for managing frontend dependencies. But using it raises an interesting question: why does frontend need a separate package manager? The answer reveals fundamental differences in how we think about server-side versus client-side code.

The npm Model Doesn't Work for Browsers

Tags Bower, Dependencies, Frontend, JavaScript, npm, Package Management