|
|
|
|
|
|
by AgentME
2264 days ago
|
|
|
NPM disallowed un-publishing modules within a few days of that incident. It's not a thing that happens any more. Also, NPM for years has defaulted to creating lockfiles with all the specific versions of dependencies pinned, so even if a dependency gets updated to have a bug, you will stay on the currently-pinned version unless you specifically change that. |
|
|
Except it literally happened again 2 years after the left-pad incident:
https://status.npmjs.org/incidents/41zfb8qpvrdj https://github.com/facebook/create-react-app/issues/3701 https://github.com/angular/angular-cli/issues/9113
But anyway whether or not the module is un-published doesn't really matter. The module could also just become malicious. Ownership changes, quality of code changes, etc... If you're pinning with lockfiles you're basically back to copy/pasting or checking in a clone of an upstream repo - the maintenance burden shifts back to you at that point. You still then have to manually go update, and remember to do that, or you become just as easily obsolete as the copy/pasted snippet.