GitHub has announced GitHub Package Registry. Does this spell the death for npm?
All packages being scoped is 100000% a good thing. What is your alternative???
How often are you adding completely new packages that typing
@octadev/ is actually any more difficult?
Also there are already a LOT of regular NPM packages that have the same caveat (@babel/preset-env, anyone?) so I think the point is moot
I too favor scoped packages. Plus, I almost always copy-paste the install command from a project’s readme.
Seriously, plus it means you always know exactly who wrote it just by looking at your package.json
Scoped packages ftw
I logged into discus just to say the same thing! scoped packages is absolutely +1!
The npm login requirement isn’t really an ugly - most corporate npm repos/proxies will require the same. Hopefully proxying GitHub published repos is easily obtained for those use cases.
npm login requirement for consuming packages is almost a show stopper for many/most regular users. Right now I maintain some CLI tools based on Node.js, and everybody can install them anonymously with npm, no questions asked. I simply cannot migrate them to the GitHub Package Registry, since this will break all scripts using these tools, not to mention all CI/CD environments. I disagree, the npm login requirement is really an ugly, a very bad one.
This page seems to indicate that you won’t need to login for access to public repositories – it’s just like that during the beta: https://medium.com/cloud-na…
“Anonymous access to public packages will be allowed. As of the beta, however, users will need to log in via GitHub, according to Rajuyn.”
If the author has some inner sources from inside GitHub, well, yes, it might happen, but currently I could not find any reference in GitHub documentation.
NPM has a mind-boggling, to me, security flaw: what you install from NPM is not necessarily the package you see on GitHub!
Someone can publish a totally clean database driver package on GitHub, then change a few lines in one file to phone home all connection strings, then publish that on NPM. The vast majority of people don’t audit, and those who look through the code on GitHub won’t see anything suspicious.
If the GitHub registry guaranteed that a package is compiled from the source you see on GitHub, e.g. via a GitHub Action that’s also publicly auditable, then we solve this problem.
With npm being bought by GitHub, this will hopefully happen at some point.