[koolba]

Where's the code? The NPM page says it is MIT licensed but I do not see any links to a source repo.

I think most people would be wary of running random npm modules to which they will be giving database credentials and passing through their actual data.

[oleksandr_dem]

You're right, and you're not the only one who's raised this, totally fair concern. As a developer myself, I get why running a CLI tool that touches your databases without access to the source is a hard sell.

I hadn’t initially planned to open source it, but this feedback is making me seriously reconsider. At the very least, more transparency is clearly needed, and I’m thinking through the best way to approach that.

Curious though, would you feel any more comfortable if it were a packaged desktop app (with no source) instead of a CLI? Or is open code the baseline no matter the form?

[koolba]

There's a big difference between a precompiled app from a company you've possibly heard of (which exists as an entity and could be sued for creating something malicous) v.s. some random guy on the internet.

I personally would not run an arbitrary binary from somebody I've never heard of on my local machine. And definitely not give it database credentials or access. I also think anybody that is willing to do so is insane. There's so much garbage and malware on npm, that something that is installed via the @latest on npm is arguably even worse. Even if it's fine now, there's no telling when one of its deps could be compromised too.

[giancarlostoro]

Companies have to start somewhere though, lots of software exists that never was open source. I think he needs to get his tool in the hands of people who review dev tools.

[oleksandr_dem]

> Companies have to start somewhere though, lots of software exists that never was open source

I think koolba's point was not as much about the tool being open-source as it is for a tool that runs on your machine and accesses your database with write permission, not having any guarantees it does the job it promises.

I could not agree more with him. This tool was born as a side project for my personal need, so I obviously use it without hesitation. But obviously, there is nothing to ensure you the tool won't drop your DB out of nowhere, or dumps your data somewhere else.

I think going open source will allow me to build some credibility for now.

PS. I use this tool daily, but I have to admit, in prod env I have read only user.

[giancarlostoro]

I get what he meant, but tools like Navicat as far as I know were unknown DB client tools, someone had to trust that it wouldnt mess up their PROD db somehow.

Then again, never use a new DB tool on a PROD DB, always test in lower environments.

[oleksandr_dem]

Sure, if the product fits the market needs, some people will start using (and I can see there was an increase in CLI installations yesterday from NPM).

So hypothetically yes, you can build trust overtime (Navicat has over 20 years of development), for every N users who don't trust it now, there is 1 yolo guy who just said "Yeah, this might help me do my job".

I should've presented this post in a different way. A lot of people that came here expected production ready tool, while the reality is that I did this in my free time to help me do my job, I wrote landing page in 10 minutes, and I published this post to get some feedback to see if it is something that may be interesting.

And based on what I read, I think there is interest for this tool.

[oleksandr_dem]

I see your point. Since it's unlikely that I'll become a trusted entity anytime soon, open-sourcing it is probably the right thing to do to build some credibility.

[keysdev]

Didnt realize one can submit nmp without source? Is this really the case?

[oleksandr_dem]

Yes, you can publish an NPM package without having a repository linked to it. Technically you can inspect the source code using "Code" feature on NPM, but in this case it is minified. You can see a lot of stuff tho (ex: query used to inspect database, endpoints, etc...), but obviously it is not as easy to read as not bundled source code (not to mention you can use WASM, which is unreadable).

[koolba]

You mean npm? Of course. There's no requirement the software being published have source or even be open source. It doesn't even have to be javascript. You can publish anything you'd like as long as it has a package.json.