| > I don't understand why one guy pulling their repository off the npm servers affected others' projects. That's because 1) npm isn't immutable. The owner of a package can delete the package on npm. 2) Developers (re)-download the entire dependency tree prior to build. A missing dependency down that tree will fail the download. > Why did everyone else's code refer directly to that guy's repository, and not some centrally-maintained clone thereof? The "repo" everyone's talking about is npm. npm is the centrally-maintained storage. What happened is that the guy pulled out his modules from npm. > So if a project goes down, the package stays on the RH server and you can still get it anytime you want. That's what everyone wishes for npm actually, for that package to live forever once released to npm. Sadly, again, npm isn't immutable. But again, there's this suggestion of "bundling before release", making a dependent self-contained. That way, in the event a dependency is missing, the worst it could do is just paralyze the dependent's next build but not make the existing build unavailable. |