Ask HN: Post leftpad-ocolypse, practical guidelines for Node devs?

19 points by jonahx ↗ HN
I'm looking for practical takeaways in the wake of the npm/leftpad disaster?

Should I still use npm? If so, should I adopt specific practices in my package.json, etc?

Should I be considering some other package manager?

Other stuff?

9 comments

[ 3.9 ms ] story [ 28.5 ms ] thread
The advice is simple: Don't rely on third-party stuff you can implement yourself with no significant effort. And for stuff you can't, backup those modules.
What is the best way to backup modules? Do you need to create your own private module host, as you can for ruby gems?
I may sound old but one can start with just backing up node_modules/ directory.

If third party modules are hosted on GitHub, you can fork them.

vendoring if such a thing is possible is the first thing that comes to mind
Is there a package manager out there with signed releases (GPG or something)?
"if a repo is worth using, it's worth mirroring, and archiving. and potentially forking, too."

-- i just made that up.

(but we actually do, in fact, do all of that for our major dependencies like upstream OS's, build deps, gitgub repos, cm, etc.)

if you don't have anyone on your team that knows how ......... well, you should probaby fix that.

Commit your node_modules to source control. I've saved myself repeatedly by not putting node_modules in the project's gitignore.

- All developers on a project are in sync. - You can get the repo back into a good state if npm choked. - You can go back in time to a prior version with all of it's actual dependencies at that point in time.

I'd suggest people bake in an archival process during their deploys so you always have a zip/tarball of the entire source code and node_modules that you deploy, but still use npm install during development.