Hacker News new | ask | show | jobs
by js4all 3174 days ago
Am I the only one who thinks running scripts on a site directly from npm is a bad idea? What happens when an incompatible change in any of the dependencies is pushed. What if a package owner had transferred his ownership und the new owner pushes whatever he wants.
2 comments
porsager 3173 days ago
Using unpkg.com as an example they redirect from the root URL of a package to the latest version. For instance https://unpkg.com/mithril will redirect to https://unpkg.com/mithril@1.1.4/mithril.js

For example if adding a URL on https://flems.io it will store the xhr.responseURL to take advantage of this to pin the version. I would guess guess Scrimba does something similar?

link
pygy_ 3173 days ago
Wow, so you auto-pin, that's great!
link
pygy_ 3174 days ago
For one off examples it is just convenient. For long-lasting demo, it would be wise to pin the versions.
link