Hacker News new | ask | show | jobs
by Klathmon 3081 days ago
>If npm packages used a Github-style "author/package" format, name collision would never be an issue again.

They have that, and many are finally starting to take advantage of it (with babel being the most prominent with their latest version)

But this doesn't completely "fix" the problem, since the exact same conflicts can still happen with the "author" name (if someone takes "google\" there are going to be some very upset californians)
4 comments
ohitsdom 3081 days ago
It does fix the problem, although consumers of the package need to first verify they trust the original author.

For example, if Google published "Google/polymer", dependents would be unaffected if a new package was published from "badguy/polymer". I think you're saying it's still not fixed because someone could register the Google author name before the real Google gets it, but that is a understood problem across every website.

link
slig 3081 days ago
> (if someone takes "google\" there are going to be some very upset californians)

Not a problem at all. They will just get the name by force. It already happened before, google "npm kik".

link
Klathmon 3081 days ago
Yeah, but it's still a "problem" in that it technically doesn't change anything from the current system.
link
croon 3080 days ago
The issue isn't people assuming that every alias on the internet is truthful, very few people (hopefully) do.

The problem is a package URI being reused without me realizing, and that problem would be solved.

link
krapp 3081 days ago
>But this doesn't completely "fix" the problem, since the exact same conflicts can still happen with the "author" name (if someone takes "google\" there are going to be some very upset californians)

The idea is that the author name maps to an actual repo and should serve as a second layer of authentication outside of NPM's control. The namespace should belong to the repository owner.

No one should be able to "take" google/ since the actual Google already owns github.com/google.

link
TomMarius 3080 days ago
That would make a connection between Github and NPM. What if I want to use Bitbucket?
link
krapp 3080 days ago
I'm suggesting NPM integrate Github's authentication API into their publishing process, to validate that the author owns a namespace if NPM doesn't already do that (I don't know, I don't use NPM.) If Bitbucket allows the same, then that's OK. The point is to have authors control namespaces, and NPM control package names but only validate namespaces. If namespaces are just another string that NPM controls and that can be handed out, revoked or taken over like package names then using them doesn't solve the intended problem at all.

Since NPM uses a centralized registry, though, some limitations would have to be imposed, and allowing multiple sources would mean allowing for conflicts between github:google/package and bitbucket:google/package. Ideally, namespaces should be unique and canonical, and the simplest way to accomplish that is just to allow publishing to a single source.

link
tylerhou 3080 days ago
Keep a git mirror of your Bitbucket repository on GitHub.
link