Hacker News new | ask | show | jobs
by ghusto 823 days ago
> “How can this sort of event that makes our customers angry be prevented in the future?”, they asked themselves. Their answer was a new rule: any versions of a package that has dependents cannot be removed from the registry

> We tried to hang a pretty picture on a wall, but accidentally opened a small hole. This hole caused the entire building to collapse.

These two snippets say everything that needs to be said about the JavaScript ecosystem and mentality. I'll leave if for you to decide what that is.
1 comments
clintonb 823 days ago
Do they? Someone tried to solve a large problem with the package manager, and inadvertently created a larger problem. That simply indicates the folks at NPM didn't fully think through the edge cases of their problem/solution.

I'm curious if other package managers have the same problem identified by the author, or are susceptible to the "left-pad" problem?

link
magicalist 823 days ago
On crates.io you can't unpublish a crate, you can only yank[1], which marks a package version as unusable as a new dependency. Existing dependencies on it will continue to work though, and it's still publicly available.

"This hole caused the entire building to collapse" is really overstating things since a package depending on all versions of all packages in npm results in the same behavior, which lots of people believe should be how npm should be treating publishing anyways.

The people who were mad were the tiny number of people who expected unpublishing to work, tried to unpublish during that week or two and found it unavailable.

[1] https://doc.rust-lang.org/cargo/commands/cargo-yank.html

link