sampson crowley
All packages being scoped is 100000% a good thing. What is your alternative???
How often are you adding completely new packages that typing @octadev/ is actually any more difficult?
Also there are already a LOT of regular NPM packages that have the same caveat (@babel/preset-env, anyone?) so I think the point is moot
Eric Swanson
I too favor scoped packages. Plus, I almost always copy-paste the install command from a project’s readme.
sampson crowley
Seriously, plus it means you always know exactly who wrote it just by looking at your package.json
Russell Smyth
I logged into discus just to say the same thing! scoped packages is absolutely +1!
Russell Smyth
The npm login requirement isn’t really an ugly - most corporate npm repos/proxies will require the same. Hopefully proxying GitHub published repos is easily obtained for those use cases.
Liviu Ionescu
The npm login requirement for consuming packages is almost a show stopper for many/most regular users. Right now I maintain some CLI tools based on Node.js, and everybody can install them anonymously with npm, no questions asked. I simply cannot migrate them to the GitHub Package Registry, since this will break all scripts using these tools, not to mention all CI/CD environments. I disagree, the npm login requirement is really an ugly, a very bad one.
Venryx
This page seems to indicate that you won’t need to login for access to public repositories – it’s just like that during the beta: https://medium.com/cloud-na…
==========
“Anonymous access to public packages will be allowed. As of the beta, however, users will need to log in via GitHub, according to Rajuyn.”
Liviu Ionescu
If the author has some inner sources from inside GitHub, well, yes, it might happen, but currently I could not find any reference in GitHub documentation.
Dan Dascalescu
NPM has a mind-boggling, to me, security flaw: what you install from NPM is not necessarily the package you see on GitHub!
Someone can publish a totally clean database driver package on GitHub, then change a few lines in one file to phone home all connection strings, then publish that on NPM. The vast majority of people don’t audit, and those who look through the code on GitHub won’t see anything suspicious.
This has happened multiple times on NPM, and even though NPM isn’t the only package system vulnerable to these attacks, it’s the most popular and hence, most targeted.
If the GitHub registry guaranteed that a package is compiled from the source you see on GitHub, e.g. via a GitHub Action that’s also publicly auditable, then we solve this problem.
With npm being bought by GitHub, this will hopefully happen at some point.