Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
perlgeek 9 hours ago

Some scattered thoughts on that:

* If everybody does it, it won't work so well

* I've seen cases where folks pinned their dependencies, and then used "npm install" instead of "npm ci", so the pinning was worthless. Guess they are the accidental, free beta testers for the rest of us.

* In some ecosystems, distributions (such as Debian) does both additional QA, and also apply a cooldown. Now we try to retrofit some of that into our package managers.

K0nserv 9 hours ago | parent | next [-]

This is not how `npm install` works. This misunderstanding is so pervasive. Unless you change stuff in `package.json` `npm install` will not update anything, it still installs based on package-lock.json.

Quoting from the docs:

> This command installs a package and any packages that it depends on. If the package has a package-lock, or an npm shrinkwrap file, or a yarn lock file, the installation of dependencies will be driven by that [..]

layer8 9 hours ago | parent | prev | next [-]

"If everybody does it, <some outcome>" is rarely a good argument, because the premise rarely becomes reality.

dugidugout 7 hours ago | parent [-]

If you're prescribing a public practice you intend to be taken seriously, you should contend with what happens at scale, especially when evaluating competing alternatives, where comparative scale effects become decisive. Given the article's push for ecosystem-wide support, there's good reason to probe this hypothetical.

exasperaited 9 hours ago | parent | prev [-]

> * If everybody does it, it won't work so well

Indeed, this is a complex problem to solve.

And the "it won't work so well" of this is probably a general chilling effect on trying to fix things because people won't roll them out fast enough anyway.

This may seem theoretical but for example in websites where there are suppliers and customers, there's quite a chilling effect on any mechanism that encourages people to wait until a supplier has positive feedback; there are fewer and fewer people with low enough stakes who are willing to be early adopters in that situation.

What this means is that new suppliers often drop out too quickly, abandon platforms, work around those measures in a way that reduces the value of trust, and worse still there's a risk of bad reviews because of the reviewer's Dunning-Kruger etc.

I think the mechanism is important for people who really must use it, but there will absolutely be side effects that are hard to qualify/correct.