[eyelidlessness]

I’m honestly astonished that this is a selling point. Sure, fewer steps sounds nice... but in addition to your (correct) point about friction when adding dependencies, it’s also a security and compatibility nightmare. And it likely makes using tools like typescript an exercise in frustration if it’s even possible.

Edit: I’d also add that npx has all of the same problems multiplied by being even less frictionful.

[corytheboyd]

I didn’t realize it installed packages automatically until I tried running my application in another environment where it crashed due to a missing package. When I found out why I was a bit upset :P

This is terrible, if you forget to add the package to your manifest, what, is the expected behavior that you just run the latest version always? Why would you want that in a production environment ever? Especially when the package manager is RIGHT THERE and already solves the problem in a well understood way. Huge step backwards IMO

[developit]

It's designed for rapid prototyping. You can just use npm or yarn and ignore this feature though, it's entirely optional.

FWIW the surface area for security issues here is far smaller than npx or similar tools, because WMR only writes JS/CSS/TS files to disk, and doesn't execute package scripts (where most vulnerabilities reside).

[chrisweekly]

Yeah, pnpm helps fix a related issue wherein flat node_modules (ie, npm or yarn) can lead to the existence of undeclared dependencies. Check it out if you care about proper dependency mgmt.

[eyelidlessness]

It’s very much on my list. I was really gunning for yarn 2 for some greenfield projects but after finding its awful rough edges I looked more at pnpm and it feels much more in line with what I want.