Starting npkill triggers an HTTP request about npkill HOT 11 CLOSED

Version 0.4.3 is already on the air!

We have included a new option that avoids checking any type of parameter
-nu or --no-check-update

from npkill.

Hi! Sorry for the delay.

Yes, I understand. There is a simple reason for not using update-notifier, and that is that npkill aspires to be a lightweight module. That is, to have as few dependencies as possible.

About the updating only once a day, we could implement it in the future, it's certainly an interesting option. We do, however, have our hands full with fixing a few bugs that have come up. We'll add it to our roadmap.

Once again, thank you for your suggestions, we appreciate it

from npkill.

Interesting ... but in the end, it remains an https request.

I see the option of being able to configure that updates are not checked interesting.
We will implement this option in npkill.
Thank you for the suggestion!

from npkill.

Also, maybe just switch to using this: https://github.com/yeoman/update-notifier

It seems to be a more common approach that other CLIs yse.

from npkill.

+1 for update-notifier. Users can choose to opt-out.

from npkill.

@zaldih Thanks for the update. I haven't checked carefully, but I presume you check for updates anytime the cli is called?

That's one reason I was suggesting update-notifier, it only checks once a day (configurable),see https://www.npmjs.com/package/update-notifier#how.

from npkill.

Hi! The HTTP request that npkill makes is a GET request to a file hosted on a github server (https://npkill.js.org/version.json), as you may see if you take a look at the source code. However, I can understand perfectly that this may seem suspicious at first sight.
We check for new versions by means of an HTTP request because it is the only way we could think of to achieve this. Would you care to suggest a better method to check versions? We would appreciate it.
Thanks for opening this issue :)

from npkill.

Yeah, I know it's benign. I am just thinking that with all of these recent scares in the NPM world with injections and all. We all should be careful. I have a firewall set to deny all calls to third parties. And it got triggered.

I just don't think tools should be even checking for new versions. There are tools on NPM that can assist you with updates already.

But it's just my opinion.

from npkill.

I will look into the NPM tools that you mention. To be honest, I wasn't quite happy with our solution, but it was the only way we could think of. Thank you.

from npkill.

I like using this one: https://www.npmjs.com/package/npm-check

It has a flag for checking global package versions:

$> npm-check -g

It is not automatic though.

from npkill.

Sincerely thank you for your participation. we appreciate it.
I will close the issue. Do not hesitate to reopen it if you have any news!

from npkill.