[gpsx]

I've used NPM only a little but this scares me. What are NPM alternatives?

[nabeards]

This question is important: what are the alternatives to npm? Surely someone has something out there with code signing and single-use package names for node/JS?

[ntonozzi]

Verdaccio [https://github.com/verdaccio/verdaccio] looks like a viable open source alternative. Presumably you could use it to download the packages you needed, then disable proxying to the NPM registry.

[Fr4nc3sc0NL]

There aren't any. Yarn is a better package manager than the npm client, but the problem is in the npm registry, and that's the same for both yarn and npm..

[allover]

NPM shouldn't scare you. Simple fact is you should not be relying on ANY package registry at the time of deployment.

[reificator]

> NPM shouldn't scare you.

It absolutely should, just like any dependency on any other third party code or servers. Especially when they regularly have incidents like this.

> Simple fact is you should not be relying on ANY package registry at the time of deployment.

This is true, but doesn't prove the previous claim.

[allover]

> NPM shouldn't scare you.

>> It absolutely should, just like any dependency on any other third party code or servers

There's no need to be scared of any of those things if you understand the trade-offs and risks.

>> Especially when they regularly have incidents like this.

They don't.

>> Simple fact is you should not be relying on ANY package registry at the time of deployment.

> This is true, but doesn't prove the previous claim.

The 'previous claim' follows from it. If you don't treat a package registry like an essential part of your own infrastructure, there's no need to be scared of it.

[flukus]

These days we deploy whole virtual machines from image reopsitories.