rlidwka / yapm Goto Github PK

Every time I install a package with yapm, my package.json get converted from tabs to two spaces.

Need to fix npm/npm#3059 .

Does more harm than it's worth. People who really need something to be compiled should use make as an install script anyway.

Is there a plan to support semver with private repositories that are not on GitHub? It could retrieve the tags (using the loaded SSH key) and find the most recent one that matches against the specified semvar string.

Something like:

"dependencies": {
    "git+ssh://myprivatesite.com/project/repo": "0.2.x",
}

@rlidwka Is this repo still maintained? I see it hasn't been synced with upstream since last January.

We're still using yapm and while the improvements are great, it still tickles me that it's now falling behind the main npm. As great as they are, I could probably do without all the improvements yapm provides but the JSON5 support, and that's solely for the comments support. I see npm/read-package-json#46 which gives me hope, but I'm not holding my breath.

Moreover, since the switch from npm/yapm 1.x to 2.x, the --save and --save-dev commands don't save back to the JSON5 anymore, even though the packages get installed. If this repo is still maintained I could always open a separate issue for that.

Thank you for your great work!

... that packs all listed dependencies (except dev maybe?).

...

This is apt-get's progress bar:

Get:13 http://archive.ubuntu.com/ubuntu/ saucy/main groff-base amd64 1.22.2-3 [719 kB]
4% [13 groff-base 298 kB/719 kB 41%]                                 196 kB/s 4min 11s 

yum:

Downloading Packages:
mc-4.7.0.2-3.el6.x86_64.rpm                                          | 1.6 MB     00:00     
Running Transaction
  Installing : 1:mc-4.7.0.2-3.el6.x86_64 [#######                                     ] 1/1

We'll probably need something like that.

I ran afoul of this error when trying to install yapm:

npm ERR! Error: setuid user id does not exist
npm ERR! at /usr/local/lib/node_modules/npm/node_modules/uid-number/uid-number.js:44:16
npm ERR! at ChildProcess.exithandler (child_process.js:635:7)
npm ERR! at ChildProcess.EventEmitter.emit (events.js:98:17)
npm ERR! at maybeClose (child_process.js:743:16)
npm ERR! at Socket. (child_process.js:956:11)
npm ERR! at Socket.EventEmitter.emit (events.js:95:17)
npm ERR! at Pipe.close (net.js:465:12)

62a97cd

Need docs and tests...

...

We should install packages to "node_modules.tmp" folder and then do a "mv node_modules.tmp node_modules". So modules can be require'd while npm is updating.

yapm init doesn't add one

now it's download only

because DRY

there was a discussion about that in npm issue tracker...

after ctrl+c lockfiles are still in place

Especially important if we're publishing different modules to two different places.

Copy-pasting my issue from npm/npm#4711 :

Login and password are stored and transferred over a wire in plain text.

It might be fine, but it's too easy to send them into the wrong place:

$ npm adduser
$ npm publish --reg http://localhost:12345/

$ nc -l 12345
POST /_session HTTP/1.1
host: localhost:1234
accept: application/json
content-type: application/json
content-length: 27
Connection: keep-alive

{"name":"foo","password":"bar"}

Whoops.

Add-auth option is especially dangerous, because npm install whatever --registry http://localhost:12345/ --add-auth=true will send your credentials even on install.

Web browser will never send your password to a different domain, so npm behaviour is unexpected and might open a few social engineering possibilities.

Ideally, the fix would be to lock "_auth" string with a "repository" it belongs to, and drop it if repository changes for whatever reason.

You use process.binding in lib/adduser.js#L11.

There is an ongoing discissuon on deprecating it: nodejs/node#2768, that code should be rewritten without process.binding.

It should be fairly simple, I guess.

removes itself before installing...

npm/npm#4016
https://groups.google.com/d/topic/nodejs/nZvWM95_5qM/discussion

verification exists already, but publishing requires some work... I'm not sure I'm on right track though, since it can't be easily implemented for git registries and other tarballs

crazy idea: maybe sign shasums list and place it inside of a repository?

upstream fails these tests:

not ok test/tap/ignore-scripts.js ..................... 50/51
not ok test/tap/lifecycle-signal.js ..................... 1/3
not ok test/tap/prepublish.js ........................... 1/2
total ............................................... 872/876

Current yapm adds these failures:

not ok test/tap/ls-no-results.js ........................ 1/2
not ok test/tap/outdated-json.js ........................ 0/1

visionmedia/npm adds these:

(.....)
not ok test/tap/peer-deps-invalid.js .................... 1/2
not ok test/tap/peer-deps-without-package-json.js ....... 1/2
not ok test/tap/prepublish.js ........................... 1/2
not ok test/tap/url-dependencies.js ..................... 2/3

investigating...

npm/3494

Make output like this:

$ yapm run
 error - npm run-script [<pkg>] <command>
         Available scripts are:
          - test:       "node ./test/run.js && tap test/tap/*.js"
          - tap:        "tap test/tap/*.js"
          - prepublish: "node bin/npm-cli.js prune --prefi[...]
          - dumpconf:   "env | grep npm | sort | uniq",
          - echo:       "node bin/npm-cli.js"
 error - not ok code 0

npm/npm#4888

Currently yapm install something equals to yapm install something@latest, where "latest" is a most recent package.

Desirable behaviour is to install highest semver version available.

Maybe "default" tag?

I was waiting for it to be released to merge it all at once. Now it seems like that time has come.

Ohh... that diff is scary...

Any alternative you guys suggest for people who want to use yaml or json5 instead for the package.json file?

to run xpkg every time I create a new version... maybe

It'll dramatically decrease an amount of transferred data:

$ curl http://registry.npmjs.eu/yapm | wc -c
150725
$ curl http://registry.npmjs.eu/yapm | gzip | wc -c
10010

1. Support for configuring a format like npm init --json5 or npm init --yaml.
2. Show result before writing it (currently it shows json).

This is not helpful:

alex@elu:/tmp$ cp /etc/passwd package.json
alex@elu:/tmp$ npm install
npm ERR! install Couldn't read dependencies
npm ERR! Failed to parse json
npm ERR! Unexpected token r
npm ERR! File: /tmp/package.json
npm ERR! Failed to parse package.json data.
npm ERR! package.json must be actual JSON, not just JavaScript.
npm ERR! 
npm ERR! This is not a bug in npm.
npm ERR! Tell the package author to fix their package.json file. JSON.parse