[corytheboyd]

Looks neat, but why is this a thing?

> import "packages" from npm without installation

IIRC rollup does the same thing by default. This project mentions it uses rollup so maybe that’s where it’s coming from.

Using npx to run executables also does this IIRC.

And I never want it, especially if I have to opt-out. I want there to be friction to adding dependencies, it should be a carefully considered process.

Otherwise, would be curious to see how this stacks up against a moderately sized application build using webpack or vanilla rollup too. To see that, we will just need adoption over time, will keep an eye on the project!

Update: It’s not rollup that auto-installs packages, I was confusing it with parcel.

[cprecioso]

Rollup doesn’t import automatically, Parcel does.

`npx`’s specific use case, though, is specifically to run scripts that you haven’t installed - else you’d use `yarn/npm run whatever`.

[corytheboyd]

D’oh you’re completely right about rollup vs parcel. I always get them confused because I trialed them simultaneously :p

Huh, I wasn’t aware of that being the primary use case of npx. I assumed the primary use case was to be sugar on top of ‘./node_modules/.bin/*’, which the documentation seems to lead with too (https://github.com/npm/npx)

They immediately call out auto-installation as a feature after that, but apparently there is a ‘—no-install’ flag you can use too. I guess I would have expected this to be opt-in through ‘—auto-install’ or something is all.

[eyelidlessness]

I’m honestly astonished that this is a selling point. Sure, fewer steps sounds nice... but in addition to your (correct) point about friction when adding dependencies, it’s also a security and compatibility nightmare. And it likely makes using tools like typescript an exercise in frustration if it’s even possible.

Edit: I’d also add that npx has all of the same problems multiplied by being even less frictionful.

[corytheboyd]

I didn’t realize it installed packages automatically until I tried running my application in another environment where it crashed due to a missing package. When I found out why I was a bit upset :P

This is terrible, if you forget to add the package to your manifest, what, is the expected behavior that you just run the latest version always? Why would you want that in a production environment ever? Especially when the package manager is RIGHT THERE and already solves the problem in a well understood way. Huge step backwards IMO

[developit]

It's designed for rapid prototyping. You can just use npm or yarn and ignore this feature though, it's entirely optional.

FWIW the surface area for security issues here is far smaller than npx or similar tools, because WMR only writes JS/CSS/TS files to disk, and doesn't execute package scripts (where most vulnerabilities reside).

[chrisweekly]

Yeah, pnpm helps fix a related issue wherein flat node_modules (ie, npm or yarn) can lead to the existence of undeclared dependencies. Check it out if you care about proper dependency mgmt.

[eyelidlessness]

It’s very much on my list. I was really gunning for yarn 2 for some greenfield projects but after finding its awful rough edges I looked more at pnpm and it feels much more in line with what I want.