That is a leading question that I can and will not answer. Thank you for taking your time to discuss this matter. I will disengage now from this conversation. Have a good evening.
You missed a very important point. What happens in npmxβs case is that you as the consumer are going to the npmx store, which has all the goods. And inside this store npmx decided to add customer notices to the products. You are free to go to another store without these customer notices.
That sounds like a reasonable change π
And I think the banner also is very open about the source of the information. It directly links to the important parts and gives additional context. It allows you as a reader to take action directly at the source if you choose to do so. So Iβm sorry but I fail to see the point your trying to make.
This is specifically spoken from the perspective of a user of open source software and not from a maintainer perspective.
But I can also see benefits for the maintainer of a package: reducing the number of users that are not the target audience frees up time and bandwidth for the important issues
The banner shows exactly that. It tells me that I MIGHT not need it. And with that it educates me. It shows me sth I might have missed. And it could help reduce my attack surface by relying on less third party dependencies.
I know this feature and I really like it. Especially the case you presented. dotenv is an amazing project and it is still actively maintained. It still serves a purpose. But since node 20.6 it may not be necessary to depend on it anymore because there is a similar functionality built-in now.
You can use them by adding
allow-git=none
min-release-age=7
to your .npmrc.
Look at the specifics of the configs in the docs: docs.npmjs.com/cli/v11/comm...
npm v11.10 added the min-release-age config that allows you to delay the installation of newly released package versions. That was possibly with the βbefore flag but min-release-age lets you specify a relative number of days directly from your .npmrc (github.com/npm/cli/pull...)
npm v11.9 (shipped with the current lts version of node) introduced the allow-git flag that lets you block the installation of dependencies from git. This prevents an attack vector that allowed rce even with ignore-scripts present. Thanks to #koi.ai for there work www.koi.ai/blog/package...
A lot has happened in the last two minor releases of the npm cli that is important to know for people using it:
v11.9 : allow-git flag
v11.10: min-release-age
π§΅
Ok I tried to create a post because I am really happy that I gave the talk and wanted to mention and thank npmx but I was nervous about how it sounds so I reworded it again and again and after posting it I noticed it sounds like a LinkedIn post now⦠𫣠well. You got to start somewhere.
There are things to improve (I for one would really like to see github.com/npmx-dev/npm... come to life) but even just right now in the canary state npmx.dev already helped me tremendously not only in regards to my presentation. I really appreciate the work of all the contributors β€οΈ
Screenshot of the npmx.dev website with the Nuxt package opened. It displays a banner saying β1 vulnerability in 1/506 packagesβ and another one saying β2 deprecated dependenciesβ
When looking at a package I am informed about vulns and deprecated packages and can start my own journey of looking into the specifics and seeing if it affects me. It helps me to pay attention!
Especially when you are a new developer you donβt even think about the possible pitfalls.
This is why educating people is so important. I added @npmx.dev as an example because it does that in an unobtrusive way.
White male person presenting. He is pointing and looking at a screen which canβt be seen
Did my first talk regarding npm supply chain attacks at an internal developer conference last week. π
My main talking point: Pay attention. It is so easy to mindlessly run an npm install without thinking about possible consequences. π§΅
Yeah, new account, just started interacting. I will probably spend some time in other feeds to diversify my timeline.
Thatβs super cool! But the overlap with my βFor youβ Feed is nearly 100% π
Thanks a lot! Worked like a charm π
