Comments (6)
mrazauskas
commented on May 26, 2024
1
@wraithgar Thanks for explanation.
Just a detail: paths are starting with ./ in the documentation examples, but ./ gets stripped by auto-correct as well. It felt like ./bin.js and bin.js are equivalent. It is interesting to ask why ./ gets striped? For instance, fields like main are allowed to have path starting with ./.
from package-json.
wraithgar
commented on May 26, 2024
1
What about packages that are already published with bin
They will continue to be supported, and package managers will likely have to support that form indefinitely.
Will it be enforced by the registry
The enforcement will primarily be that they can't differ. See below for security caveats.
Isn't this discrepancy a npm-specific thing? Why not just not make the translation
Probably yes. npm has been doing this translation a LONG time. The initial choice was to do the smallest change possible, which was to change nothing, and start warning users that the change was even happening.
The next step has not been planned out, but I suspect that SOME form of bin entry validation is going to have to occur. Some of the normalization in https://github.com/npm/npm-normalize-package-bin and now https://github.com/npm/package-json is security related and will not be going away. In those cases I can see a future where the npm registry flat out refuses to accept them. That's not a near future though, as there is a pretty long tail of support for existing package managers.
If you feel you have a good suggestion for where that middle ground lies: i.e. normalizing the security stuff but leaving the rest alone, we'd be very open to that.
TLDR the last thing we want to do is break existing packages, and we want to give folks a LOT of time to get their package.json entries fixed in the event the registry starts enforcing more security filtering.
from package-json.
wraithgar
commented on May 26, 2024
We'll want to update the docs on this. under the hood npm was always silently converting the string to the object form, meaning the packument didn't match the package.json. We're slowly trying to remove those differences, so folks will want to use the full form going forward.
from package-json.
trivikr
commented on May 26, 2024
We'll want to update the docs on this
I think users who have shortform version in thier package.json may like to preserve it because of readability - esp since documentation provided it as a alternative.
under the hood npm was always silently converting the string to the object form
Can npm cli continue to do this without emitting warning?
from package-json.
wraithgar
commented on May 26, 2024
Can npm cli continue to do this without emitting warning?
No, in the future this will not be permitted. Having a package.json file on disk that differs from the manifest in the registry is a security concern.
from package-json.
arcanis
commented on May 26, 2024
folks will want to use the full form going forward.
What measures exactly will you be taking? Will it be enforced by the registry (in which case is there anywhere Yarn can subscribe to be aware of similar changes)? What about packages that are already published with bin being a string (ex)?
under the hood npm was always silently converting the string to the object form, meaning the packument didn't match the package.json
Isn't this discrepancy a npm-specific thing? Why not just not make the translation, rather than deprecate "bin can be a string"?
from package-json.
Related Issues (9)
- Just because a package has a preinstall doesn't mean it doesn't have a gypfile
- [BUG] Redirect Installation of package x when a request for package y installation is made using config in package.json HOT 3
- Reporting a vulnerability HOT 1
- [BUG] This repo is not published on npm anymore HOT 4
- Release 3.1.0 does not correctly normalize package bins HOT 2
- Consider a mode that does not strip build-id HOT 1
- [BUG] `normalize` will report a missing scripts as invalid, then delete it instead of creating it HOT 1
- [BUG] license validator does not match arborist
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from package-json.